Linux HOWTOs

About | Home | Search


HOWTO: fail2ban
Description: Scans logs, bans failed password IPs using iptables rules
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# Fail2ban
# ========
# To avoid having any old, unused files from previous versions, the best
# way is to back up configuration files, remove the old version first, then
# install the new one.  See the bottom for info about doing that.  Notes are
# included inline here also in case you can not do that.


# Python modules/packages
# =======================
# Pyinotify (optional)
# dnspython (optional)

# Install/upgrade using pip:
su -c "pip install --upgrade pyinotify dnspython"

## or install/upgrade using easy_install from setuptools:
#su -c "easy_install --upgrade pyinotify dnspython"


# Fail2ban 0.10.4
# ===============
# Prerequisites:
# Python >= 2.6 or >= 3.2
# Pyinotify >= 0.8.3 (optional; see above)
# dnspython (optional; see above)
# gamin >= 0.0.21 (optional)
# systemd >= 204 (optional)

# Get the Fail2ban source
cd
test -f installed/fail2ban-0.10.4.tar.gz &&
 mv installed/fail2ban-0.10.4.tar.gz .
test ! -f fail2ban-0.10.4.tar.gz &&
 wget https://github.com/fail2ban/fail2ban/archive/0.10.4.tar.gz \
  -O fail2ban-0.10.4.tar.gz

# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
echo "d6ca1bbc7e7944f7acb2ba7c1065953cd9837680bc4d175f30ed155c6a3724\
49  fail2ban-0.10.4.tar.gz" | sha256sum -c

# Verify tarball w/ GPG:
( gpg --list-keys BD0A882C > /dev/null 2>&1 ||
  gpg --keyserver keys.gnupg.net --recv-keys BD0A882C ) &&
 wget -nc https://github.com/fail2ban/fail2ban/releases/download/\
0.10.4/fail2ban-0.10.4.tar.gz.asc &&
  gpg --verify fail2ban-0.10.4.tar.gz.asc &&
   rm fail2ban-0.10.4.tar.gz.asc

# Extract the tarball
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "fail2ban-*" -exec rm -r {} \;
tar xzvf ~/fail2ban-0.10.4.tar.gz
cd fail2ban-0.10.4
test $UID = 0 && chown -R root:root .

# Make sure you read README.md and ChangeLog if this is an upgrade for you
# and more docs are available online:
# https://www.fail2ban.org/wiki/index.php/Main_Page
# https://github.com/fail2ban/fail2ban/wiki

# Become root to install and configure it
su

# If you find yourself creating your own filter files in
# /etc/fail2ban/filter.d/, you may want to name them yourname-whatever.conf
# rather than modifying the existing files that are bundled with fail2ban,
# the bundled .conf files would be replaced in an upgrade.

# If you are upgrading fail2ban, back up your configuration files
# No .local files would be removed or overwritten, but as the saying goes:
# it's better to be safe than sorry.  If you customized any .conf files
# they will be overwritten.
test -d /etc/fail2ban &&
 ( cd /etc/fail2ban
   mkdir -p -m 0700 ~/backup/fail2ban
   tar cJvf ~/backup/fail2ban/fail2ban-$(date +%Y%m%d).tar.xz . )

# /usr/share/doc is usually a symlink to /usr/doc in Slackware
# Docs are installed to /usr/share/doc/fail2ban
# To change that, modify line 93 of setup.py
# If you are installing a newer version than covered here, look for
# "doc_files" in there

# Install Fail2ban
python setup.py install

# Install the man pages manually, which are not installed above
# Feel free to gzip or otherwise compress them, but they only take up about
# 45k total.
test -d /usr/man/man1 && install man/*.1 /usr/man/man1/
test -d /usr/man/man5 && install man/*.5 /usr/man/man5/
test ! -d /usr/man/man1 -a -d /usr/share/man/man1 &&
 install man/*.1 /usr/share/man/man1/
test ! -d /usr/man/man5 -a -d /usr/share/man/man5 &&
 install man/*.5 /usr/share/man/man5/

# Configuration files are in /etc/fail2ban, binaries are in /usr/bin, docs
# are in /usr/share/doc/fail2ban, data files are in /usr/share/fail2ban,
# pid and socket files will be in /var/run/fail2ban

# For info about configuration, see:
# /usr/doc/fail2ban/*
# man fail2ban
# man fail2ban-client
# man fail2ban-python
# man fail2ban-regex
# man fail2ban-server
# man fail2ban-testcases
# man jail.conf
# https://www.fail2ban.org/wiki/index.php/Main_Page
# https://github.com/fail2ban/fail2ban/wiki

# If upgrading, you may have old files left over from previous releases
#
# Only one file matching this is needed for 0.10.4 (unless you are
# running the old version right now until you stop that and start
# 0.10.4...):
find /usr/share/fail2ban -type f -name "fail2ban-*-py*.egg-info"
#
# Any file under /usr/share/fail2ban/client, common, server, and testcases
# that ends with .py should have a matching .pyc file with today's date.
# If not it is probably a file from an old version that is no longer in use.
#
# You can check for old action files by comparing what is in the source
# with what you have in /etc/fail2ban/action.d/:
diff -r config/action.d/ /etc/fail2ban/action.d/
#
# You can check for old filter files by comparing what is in the source
# with what you have in /etc/fail2ban/filter.d/:
diff -r config/filter.d/ /etc/fail2ban/filter.d/

# Run this to make sure it's OK (and to see commandline usage)
fail2ban-client -h

# I run Fail2ban from my firewall script that sets up the iptables rules.
# This way if the firewall rules are re-set, Fail2ban won't be thinking
# someone is "banned" when they're really not.  I still install the init
# script as seen below, but only set it to automatically run it on
# shutdown or reboot.
#
# If you will not be running it from a firewall script, you can either
# set it to run (fail2ban-client start) out of /etc/rc.d/rc.local, or if
# you've got a modern Slackware with rc.sysvinit rc?.d directories (and
# do not already have the systemd setup installed), install an init script
# to start it on boot-up.
#
# This will install the init script:
install -m 700 files/redhat-initd /etc/rc.d/init.d/fail2ban
# This will set it to run the init script on boot-up; don't set these
# if running from a firewall script or it will run twice
( cd /etc/rc.d/rc3.d && ln -sf ../init.d/fail2ban S92fail2ban )
( cd /etc/rc.d/rc4.d && ln -sf ../init.d/fail2ban S92fail2ban )
( cd /etc/rc.d/rc5.d && ln -sf ../init.d/fail2ban S92fail2ban )
# This will set it to run the init script on shutdown or reboot:
( cd /etc/rc.d/rc0.d && ln -sf ../init.d/fail2ban K08fail2ban )
( cd /etc/rc.d/rc6.d && ln -sf ../init.d/fail2ban K08fail2ban )

# Create a copy of fail2ban.conf as fail2ban.local and jail.conf as
# jail.local, then configure your changes in the .local files.
# They only need to include overriding changes to what is already
# in the corresponding .conf file.  You can also create one jail rule
# per file under /etc/fail2ban/jail.d/ if you prefer.
test ! -f /etc/fail2ban/fail2ban.local &&
 cp -a /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
test ! -f /etc/fail2ban/jail.local &&
 cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# In addition to the .local files in /etc/fail2ban/, you can also create
# a .local file overriding settings in any .conf file.  Good examples for
# this are setting sendmail sender and recipient addresses in
# sendmail-common.local and the iptables blocking jump target in
# iptables-blocktype.local (e.g. if you want a custom one instead of DROP)

# If you have /etc/fail2ban/fail2ban.local set to log to a file (not via
# syslog), set logrotate
cat << EOF > /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
  daily
  rotate 6
  missingok
  compress
  postrotate
    /usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
  endscript
}
EOF
chmod 600 /etc/logrotate.d/fail2ban

## With that init script, do this to start|stop|restart and get status:
# /etc/rc.d/init.d/fail2ban start
# /etc/rc.d/init.d/fail2ban stop
# /etc/rc.d/init.d/fail2ban reload
# /etc/rc.d/init.d/fail2ban restart
# /etc/rc.d/init.d/fail2ban status

# Become your non-root user again
exit

# Save the tarball for later
cd
mkdir -p -m 0700 installed
rm -f installed/fail2ban-*.tar.*
mv fail2ban-0.10.4.tar.gz installed/


# If you ever want to uninstall Fail2ban, this should do it:
cd
su
test -d /etc/fail2ban && rm -r /etc/fail2ban
( cd /usr/bin ; rm -f fail2ban-client fail2ban-regex fail2ban-server )
( cd /usr/man/man1
  rm -f fail2ban-client.1 fail2ban-regex.1 fail2ban-server.1 fail2ban.1 )
rm /usr/man/man5/jail.conf.5
test -d /usr/share/fail2ban && rm -r /usr/share/fail2ban
test -d /var/run/fail2ban && rm -r /var/run/fail2ban
test -d /usr/share/doc/fail2ban && rm -r /usr/share/doc/fail2ban
exit
find ~/src -maxdepth 1 -type d -name "fail2ban-*" -exec rm -r {} \;
rm -f ~/installed/fail2ban-*.tar.*

Back to the list


Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>