How to Set Up Fail2Ban
After installing Fail2Ban, consider configuring it. In this section, we will explore how to do it using the fail2ban.local and jail.local files.
Edit the Default Settings with fail2ban.local (Optional)
The fail2ban.conf file houses Fail2Ban’s basic configuration. It contains the global settings that should not be modified.
If you want to make any changes, we recommend creating a local file. Make a copy of fail2ban.conf and rename it to fail2ban.local to override the default configuration profile.
Here’s how to change the name of the copy and setup the settings on fail2ban.local file:
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.localType in the following command and press Enter to open the file:
sudo nano /etc/fail2ban/fail2ban.localNow you can edit the definitions inside the file. Let’s go over the options and the values they can take.
loglevel = INFO
Define the log output level as:
- CRITICAL – emergency conditions that should be investigated immediately.
- ERROR – something goes wrong but is not critical.
- WARNING – a potentially harmful condition.
- NOTICE – a normal but significant condition.
- INFO – informational messages that can be ignored.
- DEBUG – debug-level messages.
logtarget = STDERR
Log actions in a specific target socket, which can be:
- FILE – output to a file socket.
- SYSLOG – output to a message-based log file.
- STDERR – output as a standard error.
- STDOUT – standard output.
syslogsocket = auto
Set the syslog socket file to auto or file (if you’ve set logtarget as SYSLOG).
socket = /var/run/fail2ban/fail2ban.sock
Set the socket file to communicate with the daemon. The default location is /var/run/fail2ban/fail2ban.sock.
pidfile = /var/run/fail2ban/fail2ban.pid
Set the PID file to store the process ID of the Fail2Ban server. The default location is /var/run/fail2ban/fail2ban.pid.
Setting Up the jail.local Configuration File
Fail2Ban has another configuration file named jail.conf which includes jails – filters with actions. However, users shouldn’t directly modify this file as it contains the basic rule set for the software.
Instead, make a copy of the original file and name it jail.local. Using it, you’ll be able to customize and setup filters and actions, such as ignoreip, bantime, findtime, maxretry, and backend.
ignoreip
This feature requires you to specify trusted IP addresses, DNS hosts, or CIDR masks that Fail2Ban should ignore. This parameter permits all traffic coming from the specified sources. You can add multiple addresses and separate them with a space.
bantime
This parameter sets the length of time that a client will be banned for after failed authentication. The ban period is measured in seconds, and the default number is 600 or 10 minutes.
findtime
This setting determines the time period for failed login attempts. If a host fails authentication a certain number of times (based on the maxretry setting) during the set period, its IP address will be banned.
maxretry
maxretry works together with findtime – it sets the maximum number of unsuccessful login attempts within the defined time window. The default value is 5.
backend
This feature allows you to specify the backend configuration for file modification. The default value is auto, but if you use CentOS or Fedora, it needs to be systemd.
Here are the available values you can choose from:
- pynotify – monitors file system changes in real time and requires a file alteration monitor to be installed.
- gamin – same as pynotify but requires a Gamin tool.
- polling – uses a polling algorithm that doesn’t require external libraries.
- systemd – uses the systemd python library to access the systemd journal.
- auto – will use the previous values in this order – pyinotify, gamin, and polling.
You can also setup additional configurations in the jail.local file, including SSH and iptables settings. The available options include:
- banaction – defines which default action to use when the maxretry threshold is reached. If you use firewalld, set the value to firewallcmd-ipset. However, if you’ve set up UFW as your firewall, change it to ufw.
- banaction_allports – allows you to label and block IP addresses on every port. If you use firewalld, set the value to firewallcmd-ipset.
- port – the value should correspond to the set service. If you use the default port, change the value to the service name. If you use a non-traditional port, input its number here.
- filter – the file name located in /etc/fail2ban/filter.d contains the failregex information used to parse log files.