Fail2Ban Cheatsheet

Table of contents

• To Get current version
• To Add New Rule

---

To Get current version

If you need to get the current version of fail2ban you are running:

$ fail2ban-client version

or

$ fail2ban-server version

---

To Add New Rule

I am going to add a rule to ban people who’s user agent contains “Mozlila”

Create new filter in /etc/fail2ban/filter.d/
/etc/fail2ban/filter.d/apache-mozlila.conf

Example content:

[INCLUDES]
  
before = apache-mozlila.conf

[Definition]

failregex = ^<HOST> - .*Mozlila.*$

Test your regex against your target file.

# fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-mozlila.conf

Example output:

Running tests
=============

Use   failregex filter file : apache-mozlila, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 121 total
|-  #) [# of hits] regular expression
|   1) [121] ^<HOST> - .*Mozlila.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [4236] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 4236 lines, 0 ignored, 121 matched, 4115 missed
[processed in 0.64 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 4115 lines

You can see it got 121 matches. I then used vim to check the file and count how many times it found it.

:%s/Mozlila//gn

And it saw it 121 times as well!

Activate it in /etc/fail2ban/jail.local

[apache-mozlila]
enabled = true
port = http,https
filter = apache-mozlila
logpath  = %(apache_access_log)s
bantime = 48h
findtime = 600
maxretry = 1

Restart fail2ban

# systemctl restart fail2ban

Check that it is active with fail2ban-client status

And after awhile check if it has banned anyone with fail2ban-client status apache-mozlila

---