Have you ever wondered how fail2ban blacklist IP?
Fail2ban protects our server mainly from brute-force attacks. It bans suspicious IP addresses in the server firewall.
At Bobcares, we often receive requests to blacklist IP addresses as part of our Server Management Services.
Today, let’s have a detailed discussion on IP blacklisting in fail2ban.
Why blacklist IP addresses?
Our websites are under constant threats. And, protecting them from attacks or malicious activities is not an easy task.
Fail2ban is an intrusion detection system that continually monitors log files for suspicious activity.
So, if some suspicious activity takes place, it will notify us via sending alert emails.
This mainly detects brute-force attacks. So, if too many failed login attempts occur, it will block the offending IP address for a period of time.
How fail2ban blacklist IP?
As we have already said, fail2ban provides improved security by restricting suspicious hosts.
But, how do they ban such IPs?
Fail2ban scan log files and blacklist IP which signs malicious automatically. Using fail2ban we can also block IP address manually.
The below DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).
[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
findtime = 600
bantime = 600We can ban IP addresses using fail2ban command as well as from the control panel. We can also set up an auto IP blacklist for a particular service. Let’s discuss how Support Engineers ban IP addresses.
Using fail2ban command
We ban an IP address in fail2ban using the command,
sudo fail2ban-client set JAIL banip WW.XX.YY.ZZFor example to blacklist SSH access for the IP address 1xx.1x.2x.2x. We use the command
sudo fail2ban-client set sshd banip 1xx.1x.2x.2xFilter for most of the services is already present in the directory /etc/fail2ban/filter.d/. We get the jail name from filter.d.
Auto Blacklist IP address
Recently, one of our customers contacted us to set an auto blacklist IP that fails SSH authentication. Let us discuss how our Support Engineers set auto blacklist IP.
We add the below details to add the details in the fail2ban configuration file jail.conf or jail.local based on configuration.
[SSH]
enabled = true
port = ssh
actionban = ufw
filter = sshd
logpath = /var/log/auth.log
maxretry = 3The actionban entry lets us blacklist the IP. The actionban works based on the files present in the directory /etc/fail2ban/actiion.d. Already ufw.conf file is present in the directory. By mentioning we just append the file to the rule.
We can also make changes to ufw.conf file based on our requirement on how to blacklist the IP address.
The most commonly used firewall conf file is already present in the action.d directory. We make changes in actionban entry based on the firewall in the server.
Finally, we restart the fail2ban service to apply the changes.
service fail2ban restart
Using Control panel
Recently, a customers approached us to set up Fail2ban in Plesk.
And, in Plesk, we can automatically ban IP addresses and networks that generate malicious traffic using Fail2ban.
Our Support Engineers used the below steps to set it up.
- Firstly, we move to the Tools& settings>> IP Address banning(Fail2ban).
- Then, we select the Enable intrusion detection checkbox. This will activate the Fail2Ban service.
- Nextly, we specify the settings like the IP address ban period, the time interval for detection of subsequent attacks and the number of failures before the IP address ban.
- Finally, we click on OK.
[Need more assistance to ban IP addresses using Fail2ban?- We’ll help you.]
Conclusion
In short, Fail2ban blacklist IP restricts suspicious hosts efficiently. In today’s writeup, we have discussed this in detail and saw how our Support Engineers ban IP addresses for our customers.
0 Comments