Fail2ban is an awesome tool to automatically monitor your log files for suspicious activity and ban offending IP addresses. It automatically scans your logs, matches warnings with regex expressions and bans using iptables.

To install, in Debian-based distributions (including Ubuntu derivatives):

sudo apt-get install fail2ban

To configure, first change to the settings directory:

cd /etc/fail2ban/

When listing the directory, you should get the following output:

$ ls -ls
total 36
4 drwx 2 root root action.d
4 -rw- 1 root root fail2ban.conf
4 drwx 2 root root fail2ban.d
4 drwx 2 root root filter.d
16-rw- 1 *    *    jail.conf
4 drwx 2 root root jail.d

A small description of each file and what it does:

  • fail2ban.conf sets the general options, and the default should be fine;
  • jail.conf sets the options of each log file monitor, which is called a "jail".
  • jail.d/ is the folder that contains the settings for each "jail" if you choose to separate them instead of listing all in jail.conf;
  • filter.d/ is the folder that contains the rules that scan the logfiles.
  • action.d/ is the folder that contains the possible actions to execute when a jail is triggered.

Usually, it is recommended to make a copy of jail.conf to jail.local as a local settings file, and edit the .local one:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then, we should enable some of the default jails included, such as ssh and ssh-ddos. You will find several examples in the default configuration file, and to enable them, just set enabled=true in each jail. You can also set the actions (usually it consists in blocking using iptables) and set the ban times.

For the changes to take effect, restart the service:

sudo service fail2ban restart

You can create your own filters so that you can monitor your own applications' log files. To do this, add your .conf file to filter.d and reference it by its name (without the file extension .conf) in your jail configuration file, setting the actions and the ban time. You can look at other filters to get a sense on the syntax, it is fairly basic, with a regex expression for including IPs and a regex expression to ignore them. You can test your filters with the command:

fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/myfilter.conf <yourignoreregex>

Your ignore regex will have to be specified in the command.

Now probably, the most important part, how to unban yourself (if you did this, it will happen, trust me). First, start by listing the iptable's rules:

sudo iptables -L --line-numbers

Find the number of the rule that is responsible for locking you out, and the name of the chain (usually the same name as the jail but prefixed by fail2ban-) and delete it:

sudo iptables -D <chain> <line number>

There's a special jail that seems attractive to enable but requires care: if you enabled the recidive jail, which bans repeat offenders, you may want to avoid any mistakes that can ban you too often, since fail2ban keeps tabs of repeating IPs on its on log, in /var/log/fail2ban.log. Thus, the recidive jail survives restarts, and this jail will ban you from all communication to the server until the ban time expires. Think about that and put and adequate ban time in your configuration, or disable it if you don't like its aggressiveness. Other jails continue to protect your system even if you choose to disable recidive.