A "jail" is a set of rules and actions applied to a specific service or application. For example, there can be a jail for SSH, Apache, or any other service you want to protect.
Lets create a our first jail for ssh service.
1. Install Fail2Ban:
Make sure Fail2Ban is installed on your system. You can usually install it using your package manager. For example, on Debian/Ubuntu systems:
sudo apt-get install fail2ban
sudo systemctl start fail2ban
2. Configuration file:
The main configuration file for Fail2Ban is usually located at /etc/fail2ban/jail.local. You can create a local configuration file if it doesn't exist:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3. Edit configuration:
Open the jail.conf file in your favorite text editor. You'll find sections for different services and settings. Add a new section for the service you want to protect. For example, if you want to protect SSH:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 600
- enabled: Set it to true to enable the jail.
- port: Specify the service port. In this case, it is set to "ssh," indicating that the jail is targeting the SSH service.
- filter: Specify the filter to use. Predefined filters are typically located in /etc/fail2ban/filter.d/. Here, it is set to "sshd," which corresponds to the filter for the SSH service.
- logpath: Set the path to the log file of the service. In this example, the log file for SSH authentication attempts is located at /var/log/auth.log.
- maxretry: Define the number of failures before banning an IP. If there are three failed login attempts within a certain timeframe, as specified by the filter, Fail2Ban will take action.
- findtime: Define the time window during which repeated failed login attempts are considered for banning. In this example, Fail2Ban will analyze login attempts within a 600-second (10-minute) timeframe.
- bantime: Set the duration, in seconds, for which an IP address will be banned if it surpasses the "maxretry" threshold. In this case, the "bantime" is set to 600 seconds (10 minutes). If an IP exceeds the maximum number of allowed retries (3) within the defined timeframe, it will be banned for 10 minutes.
4. Restart Fail2Ban:
After making changes, restart Fail2Ban to apply the new configuration:
sudo systemctl restart fail2ban
Now, Fail2Ban will monitor the specified log files for the defined service and take action against IPs that exceed the specified number of login failures.
5. Check status of a specific jail
If you want to check the status of a specific jail, you can use:
sudo fail2ban-client status sshd
This command is used to check the status of the Fail2Ban service specifically for the SSHD jail. It provides information about how many IP addresses are currently banned, the total number of failed authentication attempts, and other relevant details.
Remember to adjust the configuration according to your specific needs and review the Fail2Ban documentation for more advanced configurations and options.