Fail2Ban Cheatsheet
Table of contents
To Get current version
If you need to get the current version of fail2ban you are running:
$ fail2ban-client version
or
$ fail2ban-server version
To Add New Rule
I am going to add a rule to ban people who’s user agent contains “Mozlila”
Create new filter in /etc/fail2ban/filter.d/
/etc/fail2ban/filter.d/apache-mozlila.conf
Example content:
[INCLUDES]
before = apache-mozlila.conf
[Definition]
failregex = ^<HOST> - .*Mozlila.*$
Test your regex against your target file.
# fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-mozlila.conf
Example output:
Running tests
=============
Use failregex filter file : apache-mozlila, basedir: /etc/fail2ban
Use log file : /var/log/apache2/access.log
Use encoding : UTF-8
Results
=======
Failregex: 121 total
|- #) [# of hits] regular expression
| 1) [121] ^<HOST> - .*Mozlila.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [4236] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 4236 lines, 0 ignored, 121 matched, 4115 missed
[processed in 0.64 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 4115 lines
You can see it got 121 matches. I then used vim to check the file and count how many times it found it.
:%s/Mozlila//gn
And it saw it 121 times as well!
Activate it in /etc/fail2ban/jail.local
[apache-mozlila]
enabled = true
port = http,https
filter = apache-mozlila
logpath = %(apache_access_log)s
bantime = 48h
findtime = 600
maxretry = 1
Restart fail2ban
# systemctl restart fail2ban
Check that it is active with fail2ban-client status
And after awhile check if it has banned anyone with fail2ban-client status apache-mozlila