DEV Community

Cover image for Fail2ban Cheat Sheet for Sysadmins
Ramiro Gómez
Ramiro Gómez

Posted on • Originally published at geeksta.net on

Fail2ban Cheat Sheet for Sysadmins

#fail2ban #cheatsheet #sysadmin #security

Fail2ban is a critical tool for safeguarding servers against brute-force attacks by monitoring logs and banning malicious IPs. This cheat sheet provides the most important concepts and commands for managing Fail2ban effectively.

1. Core Concepts

  • Jail : A Fail2ban unit that defines which logs to monitor, filter rules, and actions (e.g., banning an IP). Example: SSH protection with sshd.
  • Filter : A regex-based rule set to identify bad behavior in logs.
  • Action : The response triggered by Fail2ban (e.g., banning an IP using iptables).
  • Ban Time : How long IPs stay banned (seconds).
  • Max Retry : Maximum failed login attempts before banning an IP.

2. Service Management

Start Fail2ban service:

sudo systemctl start fail2ban
Enter fullscreen mode Exit fullscreen mode

Stop Fail2ban service:

sudo systemctl stop fail2ban
Enter fullscreen mode Exit fullscreen mode

Restart Fail2ban service (for major configuration changes):

sudo systemctl restart fail2ban
Enter fullscreen mode Exit fullscreen mode

Reload Fail2ban service (for minor configuration changes):

sudo fail2ban-client reload
Enter fullscreen mode Exit fullscreen mode

Enable Fail2ban at startup:

sudo systemctl enable fail2ban
Enter fullscreen mode Exit fullscreen mode

Check Fail2ban service status:

sudo systemctl status fail2ban
Enter fullscreen mode Exit fullscreen mode

3. Reload vs Restart

Action When to Use Impact
fail2ban-client reload Use for minor configuration changes like adjusting bantime, maxretry, or adding new jails. Reloads the active configuration without disrupting bans. Active jails remain functional.
systemctl restart fail2ban Use for major changes, like adjustments in /etc/fail2ban/fail2ban.conf, or when changing Fail2ban actions. Fully restarts Fail2ban, reinitializing all settings and clearing current ban lists.

Best Practice : Begin with reload. If changes are not applied or functional issues occur, use restart.

4. Key Configuration Files

  • Main Configuration: /etc/fail2ban/fail2ban.conf
  • Jail Configuration: /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local (use jail.local for custom settings to avoid overwrites during updates).
  • Log File: /var/log/fail2ban.log

5. Managing Jails

View active jails:

sudo fail2ban-client status
Enter fullscreen mode Exit fullscreen mode

Get detailed status of a specific jail:

sudo fail2ban-client status <jail_name>
Enter fullscreen mode Exit fullscreen mode

Ban an IP manually in a jail:

sudo fail2ban-client set <jail_name> banip <IP_address>
Enter fullscreen mode Exit fullscreen mode

Unban an IP from a jail:

sudo fail2ban-client set <jail_name> unbanip <IP_address>
Enter fullscreen mode Exit fullscreen mode

Unban all IPs from a specific jail:

sudo fail2ban-client set <jail_name> unban --all
Enter fullscreen mode Exit fullscreen mode

6. Sample Jail Configuration

Customize /etc/fail2ban/jail.local to protect SSH:

[DEFAULT]
# Defaults for all jails
ignoreip = 127.0.0.1/8 192.168.1.0/24 # Whitelist specific IPs or ranges
bantime = 3600 # 1 hour ban duration
findtime = 600 # Time window to detect multiple failed attempts
maxretry = 3 # Max failed attempts before banning
backend = auto # Log backend, usually auto-detected

[sshd]
enabled = true # Enable the SSH jail
port = ssh # Override port if not default
logpath = /var/log/auth.log # Path to SSH authentication log
filter = sshd # Use the SSH filter for matching logs
Enter fullscreen mode Exit fullscreen mode

After editing:

# Reload Fail2ban to apply changes
sudo fail2ban-client reload
Enter fullscreen mode Exit fullscreen mode

7. Analyzing Logs

Monitor Fail2ban activity:

sudo tail -f /var/log/fail2ban.log
Enter fullscreen mode Exit fullscreen mode

Find banned IPs in the logs:

grep 'Ban' /var/log/fail2ban.log
Enter fullscreen mode Exit fullscreen mode

8. Create a Custom Jail

To protect Apache from login-related brute-force attacks:

  1. Add this to /etc/fail2ban/jail.local:

  2. Create the filter /etc/fail2ban/filter.d/apache-auth.conf:

  3. Reload Fail2ban to apply:

  4. Test the custom filter:

9. Debugging

Check configuration syntax:

sudo fail2ban-client -d
Enter fullscreen mode Exit fullscreen mode

View system logs for Fail2ban:

journalctl -u fail2ban
Enter fullscreen mode Exit fullscreen mode

10. Persistent Bans Across Restarts

If you want bans to persist after Fail2ban is restarted:

  1. Enable persistent bans in /etc/fail2ban/jail.local:

  2. Restart Fail2ban:

11. iptables Integration

To view the iptables rules created by Fail2ban:

sudo iptables -L -n
Enter fullscreen mode Exit fullscreen mode

To remove or flush all Fail2ban-related rules:

sudo iptables -F
Enter fullscreen mode Exit fullscreen mode

12. Security Best Practices

  • Always whitelist critical IPs using ignoreip to prevent accidental bans.
  • Customize jail.local for site-specific setups (avoid editing jail.conf).
  • Regularly monitor /var/log/fail2ban.log for suspicious activity or misconfigurations.
  • Periodically test your filters using: sudo fail2ban-regex <logfile> <filter_file>.
  • Enable email alerts for ban events by customizing the action parameter in your jails.

Fail2ban is a powerful tool to lock down your system against brute-force attacks. Regularly monitor logs, refine filters, and keep configs well-maintained for optimal performance and security.

Thank you for reading!

This article was written by Ramiro Gómez using open source software and the assistance of AI tools. While I strive to ensure accurate information, please verify any details independently before taking action. For more articles, visit the Geeklog on geeksta.net.

Top comments (0)