fraggle/WebsiteTemplate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
WebsiteTemplate/cheatsheets/fail2ban.html
Fraggle 6f42a58ee5
first commit
2026-01-25 11:33:37 -04:00

471 lines
13 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<link rel="stylesheet" href="../assets/css/style.css">
<link rel="icon" type="image/x-icon" href="../favicon.ico">
<script>
// Apply theme immediately to prevent flash
(function() {
const theme = localStorage.getItem('theme') ||
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
document.documentElement.setAttribute('data-theme', theme);
})();
</script>
<title>fail2ban Cheatsheet - Cheatsheets - Launch Pad</title>
</head>
<body>
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
</button>
<br/><br/>
<div class="name">
__ _______________________ _________._________________________
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
\/ \/ \/ \/ \/ \/ \/
</div>
<div class="blog-page-header">
<div class="blog-header-content">
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
</a>
<h1 class="blog-page-title">fail2ban Cheatsheet</h1>
</div>
</div>
<div class="blog-post-container">
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
<div class="blog-post">
<div class="blog-post-content">
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
<hr>
<p>fail2ban scans log files and bans IP addresses that show malicious signs (multiple failed login attempts, vulnerability scans, etc.). It can automatically update firewall rules to reject IP addresses for a specified amount of time.</p>
<hr>
<h2>Service Management</h2>
<ul>
<li>systemctl start fail2ban - Start fail2ban service</li>
</ul>
<ul>
<li>systemctl stop fail2ban - Stop fail2ban service</li>
</ul>
<ul>
<li>systemctl restart fail2ban - Restart fail2ban service</li>
</ul>
<ul>
<li>systemctl status fail2ban - Check service status</li>
</ul>
<ul>
<li>systemctl enable fail2ban - Enable fail2ban at boot</li>
</ul>
<ul>
<li>systemctl reload fail2ban - Reload configuration without restart</li>
</ul>
<hr>
<h2>Viewing Status</h2>
<ul>
<li>fail2ban-client status - Show all active jails</li>
</ul>
<ul>
<li>fail2ban-client status sshd - Show status of specific jail</li>
</ul>
<ul>
<li>fail2ban-client status sshd -v - Verbose status output</li>
</ul>
<ul>
<li>fail2ban-client get <jail> logpath - Get log path for jail</li>
</ul>
<ul>
<li>fail2ban-client get <jail> findtime - Get findtime value</li>
</ul>
<ul>
<li>fail2ban-client get <jail> bantime - Get ban time value</li>
</ul>
<ul>
<li>fail2ban-client get <jail> maxretry - Get max retry value</li>
</ul>
<hr>
<h2>Ban Management</h2>
<ul>
<li>fail2ban-client set <jail> banip <ip> - Manually ban an IP</li>
</ul>
<ul>
<li>fail2ban-client set <jail> unbanip <ip> - Unban an IP address</li>
</ul>
<ul>
<li>fail2ban-client set <jail> unbanip all - Unban all IPs in a jail</li>
</ul>
<ul>
<li>fail2ban-client unban --all - Unban all IPs from all jails</li>
</ul>
<ul>
<li>fail2ban-client set sshd getbanned - List banned IPs for jail</li>
</ul>
<ul>
<li>fail2ban-client status sshd | grep "Banned IP" - List banned IPs</li>
</ul>
<hr>
<h2>Configuration Files</h2>
<ul>
<li>/etc/fail2ban/jail.conf - Main configuration (don't edit directly)</li>
</ul>
<ul>
<li>/etc/fail2ban/jail.local - Local configuration (override jail.conf)</li>
</ul>
<ul>
<li>/etc/fail2ban/jail.d/ - Additional jail configurations</li>
</ul>
<ul>
<li>/etc/fail2ban/filter.d/ - Filter definitions</li>
</ul>
<ul>
<li>/etc/fail2ban/action.d/ - Action scripts (ban/unban commands)</li>
</ul>
<ul>
<li>/etc/fail2ban/fail2ban.local - fail2ban daemon configuration</li>
</ul>
<ul>
<li>/var/log/fail2ban.log - fail2ban log file</li>
</ul>
<hr>
<h2>Common Jails</h2>
<ul>
<li>sshd - SSH server</li>
</ul>
<ul>
<li>apache-auth - Apache authentication failures</li>
</ul>
<ul>
<li>apache-badbots - Apache bad bots</li>
</ul>
<ul>
<li>apache-noscript - Apache script injection attempts</li>
</ul>
<ul>
<li>apache-overflows - Apache buffer overflow attempts</li>
</ul>
<ul>
<li>nginx-http-auth - Nginx HTTP authentication</li>
</ul>
<ul>
<li>nginx-limit-req - Nginx rate limiting</li>
</ul>
<ul>
<li>postfix - Postfix mail server</li>
</ul>
<ul>
<li>dovecot - Dovecot IMAP/POP3</li>
</ul>
<ul>
<li>vsftpd - FTP server</li>
</ul>
<ul>
<li>mysqld-auth - MySQL authentication</li>
</ul>
<hr>
<h2>Jail Configuration Example</h2>
<pre><code>[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600
action = iptables[name=SSH, port=ssh, protocol=tcp]</code></pre>
<h3>Configuration Options</h3>
<ul>
<li>enabled - Enable/disable jail (true/false)</li>
</ul>
<ul>
<li>port - Port(s) to ban (ssh, http, 22, 80,443, 22:25)</li>
</ul>
<ul>
<li>filter - Filter name (in /etc/fail2ban/filter.d/)</li>
</ul>
<ul>
<li>logpath - Log file path to monitor</li>
</ul>
<ul>
<li>maxretry - Maximum number of failures before ban</li>
</ul>
<ul>
<li>findtime - Time window in seconds to count failures</li>
</ul>
<ul>
<li>bantime - Duration of ban in seconds (-1 = permanent)</li>
</ul>
<ul>
<li>action - Action to take when banning (default: iptables)</li>
</ul>
<ul>
<li>ignoreip - IP addresses/networks to never ban</li>
</ul>
<ul>
<li>ignorecommand - Command to check if IP should be ignored</li>
</ul>
<hr>
<h2>Creating Custom Jails</h2>
<h3>/etc/fail2ban/jail.local</h3>
<pre><code>[DEFAULT]
# Default ban time (10 minutes)
bantime = 600
# Time window to count failures (10 minutes)
findtime = 600
# Maximum failures before ban
maxretry = 5
# IPs/networks to never ban
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
# Email notifications (optional)
destemail = admin@example.com
sendername = Fail2Ban
action = %(action_mwl)s
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
[custom-web]
enabled = true
port = http,https
filter = custom-web
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 300
bantime = 3600</code></pre>
<hr>
<h2>Creating Custom Filters</h2>
<h3>/etc/fail2ban/filter.d/custom-web.conf</h3>
<pre><code>[Definition]
# Failregex - patterns that indicate a failed attempt
failregex = ^&lt;HOST&gt;.*"GET /wp-admin.*" 404
^&lt;HOST&gt;.*"POST /xmlrpc.php.*" 200
^&lt;HOST&gt;.*"GET /administrator.*" 404
# Ignore regex - patterns to ignore
ignoreregex =</code></pre>
<h3>Testing Filters</h3>
<pre><code># Test filter against log file
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# Test with verbose output
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf -v
# Test custom filter
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/custom-web.conf</code></pre>
<hr>
<h2>Actions</h2>
<ul>
<li>iptables - Use iptables for banning (default)</li>
</ul>
<ul>
<li>iptables-multiport - Ban multiple ports</li>
</ul>
<ul>
<li>iptables-allports - Ban all ports</li>
</ul>
<ul>
<li>iptables-new - Use iptables with new chain (recommended)</li>
</ul>
<ul>
<li>ipset - Use ipset for efficient IP management</li>
</ul>
<ul>
<li>ipset-multiport - ipset with multiple ports</li>
</ul>
<ul>
<li>nftables - Use nftables (new firewall backend)</li>
</ul>
<ul>
<li>sendmail - Send email notifications</li>
</ul>
<ul>
<li>mail-whois - Send email with whois information</li>
</ul>
<ul>
<li>action_mwl - Mail with whois and log lines</li>
</ul>
<ul>
<li>action_bspam - Ban and report to spamhaus</li>
</ul>
<hr>
<h2>Advanced Configuration</h2>
<h3>Email Notifications</h3>
<pre><code>[DEFAULT]
destemail = admin@example.com
sendername = Fail2Ban-Alerts
sender = fail2ban@example.com
mta = sendmail
action = %(action_mwl)s</code></pre>
<h3>Using ipset (Better Performance)</h3>
<pre><code>[sshd]
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, chain=INPUT]
iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp, chain=INPUT]</code></pre>
<h3>Multiple Ports</h3>
<pre><code>[web-ports]
enabled = true
port = http,https,8080,8443
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 5</code></pre>
<hr>
<h2>Managing Jails</h2>
<ul>
<li>fail2ban-client start - Start fail2ban</li>
</ul>
<ul>
<li>fail2ban-client stop - Stop fail2ban</li>
</ul>
<ul>
<li>fail2ban-client reload - Reload configuration</li>
</ul>
<ul>
<li>fail2ban-client reload <jail> - Reload specific jail</li>
</ul>
<ul>
<li>fail2ban-client start <jail> - Start specific jail</li>
</ul>
<ul>
<li>fail2ban-client stop <jail> - Stop specific jail</li>
</ul>
<ul>
<li>fail2ban-client restart <jail> - Restart specific jail</li>
</ul>
<hr>
<h2>Logging and Monitoring</h2>
<ul>
<li>tail -f /var/log/fail2ban.log - Monitor fail2ban log</li>
</ul>
<ul>
<li>grep "Ban\|Unban" /var/log/fail2ban.log - View ban/unban events</li>
</ul>
<ul>
<li>fail2ban-client get <jail> logencoding - Check log encoding</li>
</ul>
<ul>
<li>fail2ban-client -d - Debug mode (run in foreground)</li>
</ul>
<hr>
<h2>Useful Commands</h2>
<ul>
<li>fail2ban-client ping - Test if fail2ban is responding</li>
</ul>
<ul>
<li>fail2ban-client version - Show version</li>
</ul>
<ul>
<li>fail2ban-regex --help - Help for regex testing</li>
</ul>
<ul>
<li>iptables -L -n | grep f2b- - List fail2ban iptables rules</li>
</ul>
<ul>
<li>ipset list - List all ipsets (if using ipset)</li>
</ul>
<hr>
<h2>Common Use Cases</h2>
<h3>Protect SSH</h3>
<pre><code>[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
ignoreip = 192.168.1.0/24</code></pre>
<h3>Protect Web Server</h3>
<pre><code>[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*access.log
maxretry = 2</code></pre>
<h3>Protect MySQL</h3>
<pre><code>[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysqld.log
maxretry = 5
bantime = 7200</code></pre>
<hr>
<h2>Tips</h2>
<ul>
<li>Always use jail.local instead of editing jail.conf directly</li>
</ul>
<ul>
<li>Test filters with fail2ban-regex before enabling jails</li>
</ul>
<ul>
<li>Add your own IP to ignoreip to avoid getting locked out</li>
</ul>
<ul>
<li>Use ipset action for better performance with many banned IPs</li>
</ul>
<ul>
<li>Monitor /var/log/fail2ban.log for issues</li>
</ul>
<ul>
<li>Set reasonable bantime to avoid permanent locks</li>
</ul>
<ul>
<li>Adjust maxretry and findtime based on your needs</li>
</ul>
<ul>
<li>Use action_mwl to get email notifications with context</li>
</ul>
<ul>
<li>Check iptables rules regularly to ensure bans are working</li>
</ul>
<ul>
<li>Combine with log monitoring tools for better visibility</li>
</ul>
<ul>
<li>Document custom filters for future reference</li>
</ul>
<ul>
<li>Regularly review banned IPs and unban false positives</li>
</ul>
<ul>
<li>Use fail2ban-client reload to apply config changes without downtime</li>
</ul>
<ul>
<li>Test configuration changes on a non-production system first</li>
</ul>
<ul>
<li>Keep fail2ban updated to get latest filters and fixes</li>
</ul>
<hr>
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
</div>
</div>
</div>
</div>
<script async type="text/javascript" src="../blog/analytics.js"></script>
<script src="../theme.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink