Docs
Applications
Fail2ban

Commands

# fail2ban server status
sudo service fail2ban status
 
# see jail status
sudo fail2ban-client status ssh
 
# manually ban ip
sudo fail2ban-client set sshd banip 23.34.45.56
 
# manually unban ip
sudo fail2ban-client set sshd unbanip 23.34.45.56

Installation

Setup a Mail Transfer Agent, for example postfix.

Then install fail2ban. Make sure to stop its automatically started service.

sudo apt install fail2ban
sudo service fail2ban stop

Configuration

Fail2ban reads files from two configuration formats. Files that end with the suffixes .conf (original) and .local (custom) within /etc/fail2ban. The default config files of fail2ban come saved with the suffix .conf. Never touch these files. There's a possibility of them being overwritten after package updates. Always make changes after creating a copy of the with the .local suffix.

The .local files don't have to include all settings from the corresponding .conf file, only those that need to be overridden.

The configs below are meant to be self sufficient. Meaning the files don't need extra rules other than the ones stated to function as intended.

fail2ban.conf               => fail2ban.local
jail.conf                   => jail.local
action.d/mail-whois.conf    => mail-whois.local
jail.d/defaults-debian.conf => defaults-debian.local

Prevent ufw conflicts

defaults-debian.local
[sshd]
enabled = false

Change log level.

fail2ban.local
[DEFAULT]
loglevel = INFO

Setup the main jail which fail2ban would be listening to and blocking ips.

jail.local
[ssh]
enabled = true
port = <ssh-port>
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
bantime = 1w
findtime = 1d
 
destemail = <dest-email>
sender = fail2ban
mta = mail
chain = <known/chain>
 
# basically what happens when blocking
action_mwl = ufw[application="OpenSSH", blocktype=reject]
	         %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
action = %(action_mwl)s

To configure the mail templates.

mail-whois.local
[INCLUDES]
before = mail-whois-common.conf
 
[Definition]
norestored = 1
 
actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban"|mail -s "Code Green: Fail2Ban Started" <dest>
 
actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban"|mail -s "Code Red: Fail2Ban Stopped" <dest>
 
actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `%(_whois_command)s`\n
            Regards,\n
            Fail2Ban"|mail -s "Code Yellow: SSH banned ip" <dest>
 
[Init]
name = default
# addressee of the mail
dest = fail2ban

Troubleshooting

When encountering potential ufw conflicts resulting in already banned errors. Source (opens in a new tab).


Also check out ufw's OpenSSH app. Cos that's the reference fail2ban uses to ban stuff. Source (opens in a new tab).