# Fail2Ban - best jail

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, nginx, courier, ssh, etc).

## Instalation

Debian, Ubuntu:

RHEL, CentOS, Fedora:

## Configuration

Fail2ban reads .conf configuration files first, then .local files override any settings. All changes to the configuration are generally done in .local files.

### Global configuraton file

Optional parameters to change:

• loglevel - the level of detail that Fail2ban’s logs provide can be set to 1 (error), 2 (warn), 3 (info), or 4 (debug).

• logtarget - logs actions into a specific file. The default value of /var/log/fail2ban.log

puts all logging into the defined file. Alternately, you can change the value to:

• STDOUT: output any data
• STDERR: output any errors
• SYSLOG: message-based logging
• FILE: output to a file
• socket - the location of the socket file.

• pidfile - the location of the PID file.

### Jail configuration

Main parameters to change:

• ignoreip = 127.0.0.1 - ignoreIP section allows you to white list certain IP addressess from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
• bantime = 600 - the number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes).
• findtime = 600 - the amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
• maxretry = 3 - The number of failed login attempts before a host is blocked for the length of the ban time.
• To receive email when fail2ban is triggered, adjust the email settings:
• destemail - the email address where you would like to receive the emails.
• sendername  - the name under which the email shows up.
• sender - the email address from which Fail2ban will send emails.

Beyond the basic settings address above, jail.local also contains various jail configurations for a number of common services, including SSH. By default, only SSH is enabled.

• enabled - turn rule on/off.
• port  - port Fail2ban should be referencing in regards to the service. If using the default port, then the service name can be placed here. If using a non-traditional port, this should be the port number. For example, if you moved your SSH port to 2345, you would replace ssh with 2345.
• filter  - the name of the file located in /etc/fail2ban/filter.d that contains the failregex information used to parse log files appropriately. The .conf suffix need not be included.
• logpath - logs location.
• maxretry - this option will override the global maxretry for the defined service. findtime and bantime can also be added.
• action - this can be added as an additional setting, if the default action is not suitable for the jail. Additional actions can be found in the action.d folder.

## Failregexs

You may want to further customize these filters or create your own to suit your needs. Fail2ban uses regular expressions (regex) to parse log files, looking for instances of attempted break-ins and password failures. Fail2ban uses Python’s regex extensions.

Navigate to your website’s access.log (e.g. for Nginx at /var/log/nginx/access.log)

Find a failed login attempt (this example is created on Wordpress site):

You will only need to track up to the 200

So this line

in regex will looks like

Go to filter.d directory:

Create a file called wordpress.conf, and add your failregex:

Add a WordPress section to jail.local:

Restart service:

## Manage

Show current configuration:

Show current bans:

Version in some Linux distribution repositories is a little old compare to the latest version.

This will install Fail2Ban into the python library directory. The executable scripts are placed into /usr/bin, and configuration in /etc/fail2ban.
to see if everything is alright. You should always use fail2ban-client and never call fail2ban-server directly. You can verify that you have the correct version installed with
Please note that the system init/service script is not automatically installed. To enable Fail2Ban as an automatic service, simply copy the script for your distro from the files directory to /etc/init.d. Example (on a Debian-based system):