Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
MANUAL 0 8
- 1 Introduction
- 2 Installation
- 3 Usage
- 4 Configuration
- 5 Testing
- 6 Limitations
Brute-force break-in attempts are quite frequent against an SSH server and other password protected internet-services (such as ftp,pop,...). Automated scripts try multiple combinations of username/password (brute-force, dictionary attack) and sometimes changing the port to something other than the default can't be done. Furthermore, scouring your log files yourself is not only time consuming, but can be difficult too.
Fail2ban attempts to alleviate these issues by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manner.
Log files contain interesting information, especially about failed logins. This information can be used to ban an offensive host. This is exactly what Fail2ban does. It scans log files and detects patterns which correspond to possible breakin attempts and then performs actions. Most of the time, it consists of adding a new rule in a firewall chain and sending an e-mail notification to the system administrator.
Here is a list of the most important features available in Fail2ban:
- Gamin support
- autodetection of the date/time format
- wildcard support in logpath option
- support for a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc)
- support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)
The code has been completely rewritten since 0.6.x. Fail2ban is entirely written in Python and thus should work on most of the *nix systems.Skipping to...
Installing Fail2ban on a Fedora 9+ based system is usually straightforward. Execute the following code as the root user:
yum install fail2ban
There is a bug with the current (0.8.4-27) Fedora and RedHat distros  which will prevent jails from starting unless SELinux is disabled. Symptoms are that a server with no configuration changes will fail to start and the fail2ban log file (search for 'logtarget' in fail2ban.conf) will have an error message like:
fail2ban.jail : INFO Creating new jail 'ssh-iptables' fail2ban.comm : WARNING Invalid command: ['add', 'ssh-iptables', 'auto']
when starting the SSH jail. If this happens to you, edit jail.conf and change the line that says
backend = auto
backend = gamin
This requires gamin to be installed. If it isn't, install it via:
yum install gamin
Alternatively you can disable SELinux, but that is not recommended.Read More on Other OS's (this is from the Manual)...
- 1 Troubleshooting
- 1.1 I have Postfix on my system but no "mail" command. How can I get e-mail notifications?
- 1.2 Why do my CVS users using SSH getting blocked?
- 1.3 I get the error "Please check the format and your locale settings"
- 1.4 How do I increase verbosity?
- 1.5 Fail2ban-client is unable to contact server
- 1.6 Fail2ban is running but not banning SSH bruteforce
- 1.7 Fail2ban is failing to ban VSFTPD bruteforce
- Linux Server mit Fail2ban absichern - German Howto
- Integrate fail2ban with WordPress: Spam Log Plugin
- German Howto
- How To Español
- Ipcop How To
- System: fail2ban and iptables from The Art of Web
- Using fail2ban to Block Brute Force Attacks by Marius Ducea
- Fail2ban: an enemy of script-kiddies by Yaroslav Halchenko (Dead link ? 2011-08-10) Internet Archive
- HOWTO fail2ban explains how to install and use Fail2ban on Gentoo.
- HOWTO fail2ban with qpopper - configure qpopper pop3 services with fail2ban
- fail2ban with OpenSuse 10.3 - step by step instructions on using fail2ban with OpenSuse with courier email services, etc.
- HOWTO fail2ban and sendmail - sendmail on a Debian system; also see Sendmail
- HOWTO - Geographically localize the banned IPs
- HOWTO fail2ban with Mod_Security 2.5 - configure fail2ban to use Mod_Security 2.5 logs
- HOWTO fail2ban and lighttpd - FastCGI's ALERT filter.d config
- HOWTO fail2ban and PHP remote script injection via GET/POST variables using allow_url_fopen and such - Fail2ban filter to match "GET /script.php?variable=http://evil.com/evil.txt?" attacks.
- Fail2ban monitoring Fail2ban - explains how to block really persistent attackers.
- Fail2Ban Unbanning Single - a decent document for unbanning using IPTables, worked well when tested.
- HOWTO ban apache proxy requests - Fail2ban filter to ban bots/scripts that automatically try to use your apache server as a proxy
- HOWTO ban PHP MySql Admin requests Fail2ban filter and configuration for PHPMyAdmin
- HOWTO Upgrade from 0.6 to 0.8
- HOWTO Mac OS X Server (10.4)
- HOWTO fail2ban on Leopard Server
- HOWTO fail2ban on NSLU2
- HOWTO fail2ban and SSH
- Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures
- HOWTOs - Fail2ban
- FAQ english - Fail2ban
- Fail2Ban - Fail2ban