Categories
Informatique

Fail2Ban Cheat Sheet

Fail2Ban is super useful but .. do you remember most of the commands to actually use it? Let us help!

Fail2Ban Overview

Fail2Ban is a powerful intrusion prevention software designed to enhance the security of servers that are exposed to the internet. It accomplishes this by monitoring log files for malicious activity, such as repeated failed login attempts, and takes proactive measures to protect the system from potential threats. By automatically banning IP addresses that show signs of suspicious behavior, Fail2Ban effectively mitigates risks associated with brute-force attacks and other forms of unauthorized access.

Purpose of This Cheat Sheet

This cheat sheet article serves as a quick reference guide for users looking to efficiently manage their Fail2Ban installation. It consolidates key commands related to service and jail management, ban management, log monitoring, and configuration parameters into an easily digestible format. By providing a streamlined overview, this cheat sheet is particularly useful for system administrators and users who may not remember every command needed to effectively operate Fail2Ban. With this resource, users can quickly access essential commands and configurations, ultimately saving time and improving server security practices.

Service Management

# Start Fail2ban
sudo systemctl start fail2ban

# Stop Fail2ban
sudo systemctl stop fail2ban

# Restart Fail2ban
sudo systemctl restart fail2ban

# Check status
sudo systemctl status fail2ban

Jail Management

# List all jails
sudo fail2ban-client status

# Get status of specific jail
sudo fail2ban-client status sshd
sudo fail2ban-client status fastapi

# Start a jail
sudo fail2ban-client start sshd

# Stop a jail
sudo fail2ban-client stop sshd

Ban Management

# Ban an IP manually
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100
sudo fail2ban-client set fastapi unbanip 37.64.58.42 

# Get currently banned IPs
sudo fail2ban-client get sshd banned

Log Monitoring

# View Fail2ban log
sudo tail -f /var/log/fail2ban.log

# View detailed jail information
sudo fail2ban-client get sshd actions

Configuration Files

Main configuration files:

  • /etc/fail2ban/jail.conf – Default configuration (don’t edit)
  • /etc/fail2ban/jail.local – Custom configuration (create/edit this)
  • /etc/fail2ban/filter.d/ – Filter definitions
  • /etc/fail2ban/action.d/ – Action definitions

Common Configuration Parameters

# In /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

Parameter explanations:

  • maxretry: Number of failures before ban
  • findtime: Time window for maxretry (in seconds)
  • bantime: Duration of ban (in seconds)

Testing Configuration

# Test jail configuration
sudo fail2ban-client -d

# Verify syntax of jail.local
sudo fail2ban-client -t

Remember to always backup configuration files before making changes and restart Fail2ban after configuration modifications.

SQLite commands :

Show all IP address and its jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select ip,jail from bips"


Show all unique IP address:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips"


Show all unique IP address in sshd jail:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips where jail='sshd'"


Leave a Reply