Tools: Fail2ban Cheat Sheet for Sysadmins

1. Core Concepts ## 2. Service Management ## 3. Reload vs Restart ## 4. Key Configuration Files ## 5. Managing Jails ## 6. Sample Jail Configuration ## 7. Analyzing Logs ## 8. Create a Custom Jail ## 9. Debugging ## 10. Persistent Bans Across Restarts ## 11. iptables Integration ## 12. Security Best Practices Fail2ban is a critical tool for safeguarding servers against brute-force attacks by monitoring logs and banning malicious IPs. This cheat sheet provides the most important concepts and commands for managing Fail2ban effectively. Start Fail2ban service: Stop Fail2ban service: Restart Fail2ban service (for major configuration changes): Reload Fail2ban service (for minor configuration changes): Enable Fail2ban at startup: Check Fail2ban service status: Best Practice : Begin with reload. If changes are not applied or functional issues occur, use restart. Get detailed status of a specific jail: Ban an IP manually in a jail: Unban an IP from a jail: Unban all IPs from a specific jail: Customize /etc/fail2ban/jail.local to protect SSH: Monitor Fail2ban activity: Find banned IPs in the logs: To protect Apache from login-related brute-force attacks: Add this to /etc/fail2ban/jail.local: Create the filter /etc/fail2ban/filter.d/apache-auth.conf: Reload Fail2ban to apply: Test the custom filter: Check configuration syntax: View system logs for Fail2ban: If you want bans to persist after Fail2ban is restarted: Enable persistent bans in /etc/fail2ban/jail.local: To view the iptables rules created by Fail2ban: To remove or flush all Fail2ban-related rules: Fail2ban is a powerful tool to lock down your system against brute-force attacks. Regularly monitor logs, refine filters, and keep configs well-maintained for optimal performance and security. Thank you for reading! This article was written by Ramiro Gómez using open source software and the assistance of AI tools. While I strive to ensure accurate information, please verify any details independently before taking action. For more articles, visit the Geeklog on geeksta.net. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse COMMAND_BLOCK: sudo systemctl start fail2ban Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo systemctl start fail2ban COMMAND_BLOCK: sudo systemctl start fail2ban COMMAND_BLOCK: sudo systemctl stop fail2ban Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo systemctl stop fail2ban COMMAND_BLOCK: sudo systemctl stop fail2ban COMMAND_BLOCK: sudo systemctl restart fail2ban Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo systemctl restart fail2ban COMMAND_BLOCK: sudo systemctl restart fail2ban COMMAND_BLOCK: sudo fail2ban-client reload Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client reload COMMAND_BLOCK: sudo fail2ban-client reload COMMAND_BLOCK: sudo systemctl enable fail2ban Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo systemctl enable fail2ban COMMAND_BLOCK: sudo systemctl enable fail2ban COMMAND_BLOCK: sudo systemctl status fail2ban Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo systemctl status fail2ban COMMAND_BLOCK: sudo systemctl status fail2ban COMMAND_BLOCK: sudo fail2ban-client status Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client status COMMAND_BLOCK: sudo fail2ban-client status COMMAND_BLOCK: sudo fail2ban-client status <jail_name> Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client status <jail_name> COMMAND_BLOCK: sudo fail2ban-client status <jail_name> COMMAND_BLOCK: sudo fail2ban-client set <jail_name> banip <IP_address> Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client set <jail_name> banip <IP_address> COMMAND_BLOCK: sudo fail2ban-client set <jail_name> banip <IP_address> COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unbanip <IP_address> Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unbanip <IP_address> COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unbanip <IP_address> COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unban --all Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unban --all COMMAND_BLOCK: sudo fail2ban-client set <jail_name> unban --all COMMAND_BLOCK: [DEFAULT] # Defaults for all jails ignoreip = 127.0.0.1/8 192.168.1.0/24 # Whitelist specific IPs or ranges bantime = 3600 # 1 hour ban duration findtime = 600 # Time window to detect multiple failed attempts maxretry = 3 # Max failed attempts before banning backend = auto # Log backend, usually auto-detected [sshd] enabled = true # Enable the SSH jail port = ssh # Override port if not default logpath = /var/log/auth.log # Path to SSH authentication log filter = sshd # Use the SSH filter for matching logs Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: [DEFAULT] # Defaults for all jails ignoreip = 127.0.0.1/8 192.168.1.0/24 # Whitelist specific IPs or ranges bantime = 3600 # 1 hour ban duration findtime = 600 # Time window to detect multiple failed attempts maxretry = 3 # Max failed attempts before banning backend = auto # Log backend, usually auto-detected [sshd] enabled = true # Enable the SSH jail port = ssh # Override port if not default logpath = /var/log/auth.log # Path to SSH authentication log filter = sshd # Use the SSH filter for matching logs COMMAND_BLOCK: [DEFAULT] # Defaults for all jails ignoreip = 127.0.0.1/8 192.168.1.0/24 # Whitelist specific IPs or ranges bantime = 3600 # 1 hour ban duration findtime = 600 # Time window to detect multiple failed attempts maxretry = 3 # Max failed attempts before banning backend = auto # Log backend, usually auto-detected [sshd] enabled = true # Enable the SSH jail port = ssh # Override port if not default logpath = /var/log/auth.log # Path to SSH authentication log filter = sshd # Use the SSH filter for matching logs COMMAND_BLOCK: # Reload Fail2ban to apply changes sudo fail2ban-client reload Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: # Reload Fail2ban to apply changes sudo fail2ban-client reload COMMAND_BLOCK: # Reload Fail2ban to apply changes sudo fail2ban-client reload COMMAND_BLOCK: sudo tail -f /var/log/fail2ban.log Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo tail -f /var/log/fail2ban.log COMMAND_BLOCK: sudo tail -f /var/log/fail2ban.log CODE_BLOCK: grep 'Ban' /var/log/fail2ban.log Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: grep 'Ban' /var/log/fail2ban.log CODE_BLOCK: grep 'Ban' /var/log/fail2ban.log COMMAND_BLOCK: sudo fail2ban-client -d Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo fail2ban-client -d COMMAND_BLOCK: sudo fail2ban-client -d CODE_BLOCK: journalctl -u fail2ban Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: journalctl -u fail2ban CODE_BLOCK: journalctl -u fail2ban COMMAND_BLOCK: sudo iptables -L -n Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo iptables -L -n COMMAND_BLOCK: sudo iptables -L -n COMMAND_BLOCK: sudo iptables -F Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: sudo iptables -F COMMAND_BLOCK: sudo iptables -F - Jail : A Fail2ban unit that defines which logs to monitor, filter rules, and actions (e.g., banning an IP). Example: SSH protection with sshd. - Filter : A regex-based rule set to identify bad behavior in logs. - Action : The response triggered by Fail2ban (e.g., banning an IP using iptables). - Ban Time : How long IPs stay banned (seconds). - Max Retry : Maximum failed login attempts before banning an IP. - Main Configuration: /etc/fail2ban/fail2ban.conf - Jail Configuration: /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local (use jail.local for custom settings to avoid overwrites during updates). - Log File: /var/log/fail2ban.log - Add this to /etc/fail2ban/jail.local: - Create the filter /etc/fail2ban/filter.d/apache-auth.conf: - Reload Fail2ban to apply: - Test the custom filter: - Enable persistent bans in /etc/fail2ban/jail.local: - Restart Fail2ban: - Always whitelist critical IPs using ignoreip to prevent accidental bans. - Customize jail.local for site-specific setups (avoid editing jail.conf). - Regularly monitor /var/log/fail2ban.log for suspicious activity or misconfigurations. - Periodically test your filters using: sudo fail2ban-regex <logfile> <filter_file>. - Enable email alerts for ban events by customizing the action parameter in your jails.