Bobcares

Fail2ban blacklist IP – Easy way to do it!!

by | Nov 1, 2019

Have you ever wondered how fail2ban blacklist IP?

Fail2ban protects our server mainly from brute-force attacks. It bans suspicious IP addresses in the server firewall.

At Bobcares, we often receive requests to blacklist IP addresses as part of our Server Management Services.

Today, let’s have a detailed discussion on IP blacklisting in fail2ban.

 

Why blacklist IP addresses?

Our websites are under constant threats. And, protecting them from attacks or malicious activities is not an easy task.

Fail2ban is an intrusion detection system that continually monitors log files for suspicious activity.

So, if some suspicious activity takes place, it will notify us via sending alert emails.

This mainly detects brute-force attacks. So, if too many failed login attempts occur, it will block the offending IP address for a period of time.

 

How fail2ban blacklist IP?

As we have already said, fail2ban provides improved security by restricting suspicious hosts.

But, how do they ban such IPs?

Fail2ban scan log files and blacklist IP which signs malicious automatically. Using fail2ban we can also block IP address manually.

The below DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).

[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
findtime = 600
bantime = 600

We can ban IP addresses using fail2ban command as well as from the control panel. We can also set up an auto IP blacklist for a particular service. Let’s discuss how Support Engineers ban IP addresses.

 

Using fail2ban command

We ban an IP address in fail2ban using the command,

sudo fail2ban-client set JAIL banip WW.XX.YY.ZZ

For example to blacklist SSH access for the IP address 1xx.1x.2x.2x. We use the command

sudo fail2ban-client set sshd banip 1xx.1x.2x.2x

Filter for most of the services is already present in the directory /etc/fail2ban/filter.d/. We get the jail name from filter.d.

 

Auto Blacklist IP address

Recently, one of our customers contacted us to set an auto blacklist IP that fails SSH authentication. Let us discuss how our Support Engineers set auto blacklist IP.

We add the below details to add the details in the fail2ban configuration file jail.conf or jail.local based on configuration.

[SSH]
enabled = true
port = ssh
actionban = ufw
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

The actionban entry lets us blacklist the IP. The actionban works based on the files present in the directory /etc/fail2ban/actiion.d. Already ufw.conf file is present in the directory. By mentioning we just append the file to the rule.

We can also make changes to ufw.conf file based on our requirement on how to blacklist the IP address.

The most commonly used firewall conf file is already present in the action.d directory. We make changes in actionban entry based on the firewall in the server.

Finally, we restart the fail2ban service to apply the changes.

service fail2ban restart

 

Using Control panel

Recently, a customers approached us to set up Fail2ban in Plesk.

And, in Plesk, we can automatically ban IP addresses and networks that generate malicious traffic using Fail2ban.

Our Support Engineers used the below steps to set it up.

  1. Firstly, we move to the Tools& settings>> IP Address banning(Fail2ban).
  2. Then, we select the Enable intrusion detection checkbox. This will activate the Fail2Ban service.
  3. Nextly, we specify the settings like the IP address ban period, the time interval for detection of subsequent attacks and the number of failures before the IP address ban.
  4. Finally, we click on OK.

 

[Need more assistance to ban IP addresses using Fail2ban?- We’ll help you.]

 

Conclusion

In short, Fail2ban blacklist IP restricts suspicious hosts efficiently. In today’s writeup, we have discussed this in detail and saw how our Support Engineers ban IP addresses for our customers.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF