Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [fail2ban]

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

705 questions
14
votes
5 answers

Is it worth the effort to block failed login attempts

Is it worthwhile running fail2ban, sshdfilter or similar tools, which blacklist IP addresses which attempt and fail to login? I've seen it argued that this is security theatre on a "properly secured" server. However, I feel that it probably makes…
dunxd
  • 9,632
  • 22
  • 81
  • 118
13
votes
3 answers

Installing from EPEL on Amazon EC2

I am trying to install fail2ban on our Amazon EC2 Linux AMI (CentOS). I know that fail2ban is in the EPEL so I have done the following: wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo rpm -Uvh…
williamsdb
  • 493
  • 1
  • 8
  • 18
13
votes
2 answers

Fail2Ban unblock ipaddress

I am trying to unblock an IP address without restarting Fail2Ban each time, what is the best way of doing this? Or can you point me in the direction of a useful guide? As you can see below the IP address I am trying to remove is: 89.31.259.161 #…
John Magnolia
  • 1,723
  • 6
  • 28
  • 46
13
votes
1 answer

How to test whether fail2ban can really send an email?

I have configured fail2ban but I would like to test sending of email. For example, I would like that I get email when fail2ban is started or stopped.
user84686
  • 281
  • 2
  • 3
  • 7
12
votes
1 answer

Fail2Ban blocking behaviours depending on the status code

I am using Fail2Ban and I have configured it as needed. This is reading logs from nginx/error.log and is acting depending on configs about maxretry and timing sets. The question is that is this possible to have different rules depending on status…
Parsa Samet
  • 227
  • 1
  • 3
  • 8
12
votes
3 answers

Fail2ban log filled with entries saying "fail2ban.filter : WARNING Determined IP using DNS Lookup:.."

My fail2ban log at /var/log/fail2ban.log is completely filled with entries saying: fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address] I think this may have begun after I changed my ssh port... Any idea what the cause of this is…
Dirk Calloway
  • 252
  • 1
  • 2
  • 9
12
votes
5 answers

is fail2ban safe? Better to use ssh keys?

I'm in doubt if I should use key authentication when logging into SSH, or just go for fail2ban + ssh (root login disabled). Is fail2ban safe or is it really better to just go ahead and generate keys and config that on all my client machines that…
solsol
  • 1,121
  • 8
  • 21
  • 31
11
votes
2 answers

Why is fail2ban not banning this attack?

I have fail2ban installed to ban bruteforce attempts on the ssh password. There are business requirements for not disabling password authentication on this machine. fail2ban was installed using the same chef cookbook that effectively bans ssh…
Leo
  • 983
  • 7
  • 21
  • 39
11
votes
3 answers

Why is iptables not blocking an ip address?

I have configured fail2ban to monitor a certain pattern of malicious traffic I'm getting and ban IP addresses associated. Everything seems to be working great -- the regex is matching the pattern appropriately and the problem IP address is getting…
jsdalton
  • 213
  • 1
  • 2
  • 6
11
votes
3 answers

Does fail2ban monitor rotated log files?

Does fail2ban continue to monitor rotated log files? For example, I have a rule monitoring /var/log/fail2ban.log which is automatically rotated by the system every week (7 days). I want to have a rule that monitors for banned IPs in that log to…
J. Chin
  • 615
  • 6
  • 9
10
votes
3 answers

How to block IPs that cause excessive 404 errors with Fail2ban?

I have installed Fail2Ban v0.10.2 on Ubuntu 18.04 with Apache 2.4.29 and enabled the standard ssh and apache jails for basic protection with email notification warnings, when an IP is blocked. Having a look at the documentation, I was not able to…
user475270
10
votes
3 answers

Securing linux servers: iptables vs fail2ban

I would like to pick the community's brain regarding linux server security, specifically regarding brute-force attacks and using fail2ban vs custom iptables. There are a few similar questions out there but none of them address the topic to my…
kingmilo
  • 211
  • 2
  • 7
10
votes
1 answer

How to use so called action variables in fail2ban?

I've seen a few mentions of these in the docs and misc scripts, but nothing concrete on exactly how they are used. Could anyone give me some examples? Is it just a case of myvar=7 . . . [ssh] bantime=%(myvar)s If so what is the point? Secondly,…
fpghost
  • 673
  • 1
  • 10
  • 22
10
votes
2 answers

How to *add* rules in local fail2ban filter definition?

I have installed fail2ban as packaged by Debian on a server under my control. Since I have some failregexes from before, I'm putting those into the local filter definition file so they will be considered as well. Hence, I end up with e.g.…
user
  • 4,335
  • 4
  • 34
  • 71
10
votes
3 answers

Is there any reason to use fail2ban with SSH password logins disabled?

I am setting up an Ubuntu server hosted by Linode. I am stepping through their security guide and they recommend installing fail2ban after disabling password based SSH logins. I don't see the point in installing fail2ban if dictionary attacks are…
dbasch
  • 407
  • 1
  • 5
  • 12
1
2
3
46 47