From vpsget wiki
Jump to: navigation, search

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs selected with regex ( e.g. show the malicious signs/ packets -- too many password failures, seeking for exploits, etc.) Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc). For more info refer to the official web site
How to install Fail2ban. Enable Epel repository first:

rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Enable the remi repository.
Open the file /etc/yum.repos.d/remi.repo and set enable=1 in remi section of the file.

name=Les RPM de remi pour Enterprise Linux $releasever - $basearch

Now install Fail2ban:

yum install fail2ban

Set Fail2ban to start at boot

chkconfig fail2ban on

Copy config file to keep the original backup.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we have a working config file /etc/fail2ban/jail.local, configure it according to your needs.

In /etc/fail2ban/fail2ban.conf you able to select fail2ban log level , log path etc. Here is the default config:

 loglevel = 3
 logtarget = SYSLOG # the fail2ban will write log into /var/log/messages if on Centos
 socket = /var/run/fail2ban/fail2ban.sock
 pidfile = /var/run/fail2ban/ 

Start service

service fail2ban start

Now you have working Fail2ban server. To display banned hosts, enter:

iptables -L -n -v

To unlock IP, enter

iptables -D fail2ban-ssh 1


  • SSH
By default fail2ban configured to block ip after several ssh failed authentication.

You need only to provide the correct path to the ssh log (in centos by default it /var/log/secure) You can find this rule in /etc/fail2ban/jail.local config file:

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
          sendmail-whois[name=SSH,,, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5   

Lets configure fail2ban to block DDoS on httpd 80 and 443 ports. It;s also possible to configure the ip ban in case of "N" failed httpd logons (we do not showing it coz it quite simple  -just enable it in config)

Add these lines to /etc/fail2ban/jail.local:

enabled = true 
port = http,https
filter = http-get-dos
logpath = /var/log/www/vhost.d/ #provide correct apache access log path!
maxretry = 60   # max amount of retries 
findtime = 120   # in max amount of seconds. 60 retries in 120 seconds from 1 unique IP = ban hammer. 
bantime = 6000 # for 6,000 seconds or 10 minutes. 
action = iptables[name=HTTP, port=http, protocol=tcp]  
         iptables[name=HTTPS, port=https, protocol=tcp]
         sendmail-whois-withline[name=httpd-get-dos, dest=yourname@yourdomain, logpath=/var/log/httpd/yoursite-access_log] # sets iptables variables.

Create the new file /etc/fail2ban/filter.d/http-get-dos.conf and put the next config lines inside:

# Fail2Ban configuration file
# Author:
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
 #failregex = ^ -.*GET
 failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex = 

Restart fail2ban

service fail2ban restart

Check status

service fail2ban status
 fail2ban-server (pid  2104) is running...
 |- Number of jail:      2

` - Jail list: http-get-dos, ssh-iptables


Nginx can block DDoS like attempt by itself. Refer to the nginx guide. Anyway here ios the example for nginx: Add to /etc/fail2ban/jail.local

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log #check the correct path to  logfile!
findtime = 600
bantime = 7200              
maxretry = 10        

The filter should be the next /etc/fail2ban/filter.d/nginx-req-limit.conf

# Fail2Ban configuration file
# supports: ngx_http_limit_req_module module
failregex = limiting requests, excess:.* by zone.*client: <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Remember to restart fail2ban if some config file was modified to apply settings. Also it;s possible to enable nginx-http-auth rule. Just modify the /etc/fail2ban/jail.local config


Just set "enabled" to "true" in /etc/fail2ban/jail.local config file and remember to specify correct path to the maillog

# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/maillog
  • EXIM

The mostly similar. You can specify few ports and sure - correct path to the logfile. Find and esdit this lines in /etc/fail2ban/jail.local:

enabled = true
filter  = exim
action  = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim_rejectlog

________________ Miscelanous

You can see the detailed status for specified rule, like this:

fail2ban-client status nginx-req-limit

fail2ban-client -d