staff-wiki:security_fail2ban
Table of Contents
Fail2Ban
Fail2ban is a piece of security software designed to react to an apparent security threat by taking a series of steps to block traffic from the attacker.
Usage
Fail2ban runs as a systemd service fail2ban
Viewing Banned IPs
Fail2ban will use iptables to block traffic from a suspected malicious node. So we can use iptables to view the current ban list:
[root@portal01 ~]# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-sshd -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A f2b-sshd -s 222.127.101.155/32 -j REJECT --reject-with icmp-port-unreachable <-- banned IP -A f2b-sshd -s 112.85.42.177/32 -j REJECT --reject-with icmp-port-unreachable <-- banned IP -A f2b-sshd -j RETURN
Un-banning IPs
IPs can be unbanned using the following command
fail2ban-client set sshd unbanip IPADDRESSHERE
The quick way to unban all IPs is to set the ban period to one second, then after all IPs become unbanned, resetting the period to 3600 seconds (1 hour).
fail2ban-client set sshd bantime 1; sleep 5; fail2ban-client set sshd bantime 3600
staff-wiki/security_fail2ban.txt · Last modified: 2023/08/29 19:56 by 127.0.0.1