wiki:fail2ban_examples
This is an old revision of the document!
Table of Contents
fail2ban examples
Port 80 ban
Create new jail file in /etc/fail2ban/jail.d/test.local
[bottest] enabled = true maxretry = 4 findtime = 60s bantime = 60s action = iptables[name=bloKKKED, port=http] logpath = %(nginx_access_log)s
This will create a bottest jail and will use a filter defined in /etc/fail2ban/filter.d/bottest.local. Example of regex matching nginx log:
[Definition]
failregex = client=<HOST> .*
ignoreregex =
datepattern = {^LN-BEG}
<HOST> is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match.
action is defined already in /etc/fail2ban/action.d/iptables.conf, and logpath is defined in /etc/fail2ban/paths-common.conf
This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated iptables -nvL output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
73 66036 f2b-bloKKKED tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
...
Chain f2b-bloKKKED (1 references)
pkts bytes target prot opt in out source destination
4 5864 REJECT all -- * * 10.21.21.1 0.0.0.0/0 reject-with icmp-port-unreachable
35 17374 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Tested on
- fail2ban 0.11.2
- Debian 11 Bullseye
See also
References
wiki/fail2ban_examples.1667920236.txt.gz · Last modified: 2022/11/08 15:10 by antisa