fail2ban - Free of dictionary attacks

Written by
Date: 2007-10-10 10:36:30 00:00

Starting this year I posted about DenyHosts, which is a must have tool to avoid dictionary attacks to port 22 (ssh).

This kind of tools are really needed by sysadmins because the normal user refuse to make strong password, If the admin gives them a strong password, they will write it down, and then it stops being “strong”, If the admin tells the normal users, they need to remember their passwords and not to write them down, they will come with weak passwords like their son’s name, looking for new ways to secure the servers against dictionary attacks or brute force attacks, I have found this other tool that can do the job, I think this one is more flexible than DenyHosts, and also it works with Iptables. Well lets start, telling the options of fail2ban and its features.

It works by parsing logs files and thus finding failure attempts to log into the system, via a lot of possible protocols, and then acting to block the IP of the offending machine for the time you may configure, and using a lot of ways to achieve that.

It can block using:

  • Iptables
  • shorewall
  • Denyhost

I will only talk here about Iptables which is the one I understand better.

fail2ban is actually two programs, a server and a client, while the server performs the actions of banning the IPs, the client is the one who reads the configurations files and parses the log files to instruct the server what to do.

Installing it

Debian / ubuntu

apt-get install fail2ban

Gentoo / Sabayon

emerge fail2ban

Configuring it

Once installed there is the need of configuring it before making it run.

Fail2ban has two main configuration files called /etc/fail2ban/fail2ban.conf /etc/fail2ban/

Usually you will only need to change jail.conf

Jail.conf is divided by sections

[default] Where all default options should go, all of them could be overwritten by the options written under the individual jails on this file

The options are:


Defines whether or not a given section is enabled or nor, its possible values are:

  • false
  • true


This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:

  • sshd
  • proftpd
  • httpd

basically it is how the service is identified on the log file being parsed


This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.


With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:

  • Fedora -> /var/log/secure
  • CentOS -> /var/log/secure
  • Debian -> /var/log/auth
  • Ubuntu -> /var/log/auth
  • Sabayon -> /var/log/messages

If you put a wrong value here, it will not work and will give you no errors.


This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care


This option is used to set the limit of retries a user have before he gets blocked


This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends


Use this option to set the email of the person who should receive alerts when an IP is banned


Use this option to instruct with action will be taking in order to ban an offending IP. ie:

  • iptables — To use Iptables in order to ban the offending IP
  • iptables-new — To ban only new connections
  • iptables-multiport — To ban all ports from the offending IP
  • shorewall — To use Shorewall instead of Iptables


Set here the default protocol to ban, TCP or UDP Lets put an example to secure ssh access. Example of /etc/fail2ban/fail2ban.conf

loglevel = 3 # 1=Error, 2=Warn, 3=Info, 4=Debug
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban.sock

Now lets go with the /etc/fail2ban/jail.conf


ignoreip =
bantime  = 600
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
action = %(action_)s

enabled = true
port	= ssh,sftp
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6

enabled = false
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6

With these files we will have ssh enabled and secured, you see also here the configuration for apache, but it is disable. to turn the service on run:

/etc/init.d/fail2ban start