How to Unban an IP Address from Fail2Ban

Lets face it, 9 out of 10 times if you are removing an IP address from fail2ban, it is probably your own. I have locked myself out remotely from my own server at a remote location more than once. This is why you always have several methods of getting back into your own box.

First things first, lets look at iptables and get an idea of the jail names.

Shell

Looking at the bottom of this picture you will see where I have a host jailed from failed logins. Now we need to get the actual jail name.

Shell

We will remove this host in the next step.

Shell

That is all to it, if we run the same command again we will see the number in the jail down to one.

Shell
Continue Reading

How to install Fail2ban on Debian 9 Stretch

Fail2Ban Logo

What is Fail2Ban?

Fail2Ban is a application that runs as a service on your Linux system. Fail2Ban monitors your Linux system for malicious activity like brute force login attempts. In this day and age the internet is scanned in it’s entirety quite often. It is not uncommon to expose a new Linux installation to the internet and start getting login attempts within minutes. These bots as they are called attempt logins at a predefined rate until they are successful, or they are blocked. Fail2Ban can monitor SSH and many more services. Those attempts can be jailed for an amount of time, or permanently.

Prerequisites:

  • A Debian 9 (stretch) installation
  • Logged in as root, or preface all commands with sudo
  • An idea of how long you want your ban and retry settings

Step1: Update your installation

We will update apt and upgrade any packages, first things first.

Shell

Step 2: Install Fail2ban

Shell

Step 3: Tweak your configuration

In /etc/fail2ban/jail.conf you will find these settings you will need to tweak to your needs.

Shell
/etc/fail2ban/jail.conf

Lets talk about these settings for a minute.

bantime – This is how long a server is banned in seconds. Personally I up this number greatly. I do not want bots bombarding my server. Once they get banned, personally I would rather just let them stay banned.

findtime – This one may be okay for default, or you may want to up it some. Bots know the defaults, so they like to slow their attempts to match these settings, hoping to get by the fail2ban defaults.

maxretry – Remember, this is the number of retries within the findtime, so the default is 5 tries in 10 minutes.

For more detail on the settings, there is a good article here on blocking persistent threats.

Step 4: Restart fail2ban

Shell

You can also check the status at anytime with the status command

Shell

Continue Reading