Fail2Ban - blame None

Blame

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

# Fail2Ban

154d13	theophile	2025-12-21 17:40:54
consolidation into one page

- [Wikipedia Article](https://en.wikipedia.org/wiki/Fail2ban)

- [Source Code](https://github.com/fail2ban/fail2ban)

- [Archlinux Wiki](https://wiki.archlinux.org/title/Fail2ban)

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

Fail2Ban est un logiciel de sécurité pour les serveurs qui **protège

contre les attaques de type "brute force"** (tentatives de connexion

répétées avec des mots de passe incorrects).

Il **surveille les journaux de sécurité du serveur** et bloque les

adresses IP qui tentent de se connecter avec trop de tentatives de

connexion échouées.

Cela empêche les pirates de hacker de prendre le contrôle de votre

serveur en essayant de deviner votre mot de passe.

``` shell

sudo apt install fail2ban

```

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

## Configuration

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

Les fichiers de configuration se trouve à :

``` shell

/etc/fail2ban

```

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

:::info

Don't **copy the conf to local**, we want to make precise modifications to

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

the default, so let's not loose ourselves in thousands of parameters.

Let's target the ones we need to change.

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

:::

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

Tout d'abord on créer un fichier `jail.local` pour override les

paramètres par défault:

``` shell

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

```

Ensuite on va faire des modifications dans le fichier:

``` shell

# ouvrire le fichier avec notre éditeur de texte micro

sudo micro /etc/fail2ban/jail.local

```

Il y a deux sections par défault dans le fichier: **DEFAULT** et

**sshd**

#### Default

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

```ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

# "bantime" is the number of seconds that a host is banned.

bantime = 7800m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.  

findtime = 30m

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

# will not ban a host which matches an address in this list. Several addresses

# can be defined using space (and/or comma) separator.

ignoreip = 127.0.0.1/8 ::1 172.17.0.0/24 172.16.0.0/24 141.94.115.88

# Longer ban if multiple

bantime.increment = true

bantime.rndtime = 2048

bantime.multipliers = 1 5 30 60 300 720 1440 2880

```

#### sshd

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

```ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

[sshd]

enabled = true

port = 53684

bantime = 1d

findtime = 1d

maxretry = 3

maxfailures = 5

# Paramètres de récidive

#bantime.increment = true

bantime.findtime = 1w # La période de temps pendant laquelle les bannissements sont comptés pour l’incrémentation

bantime.factor = 2 # Le facteur de multiplication de la durée de bannissement bantime.maxtime = 1y # La durée maximale >bantime.maxtime = 1y

```

Après avoir modifié la configuration de `fail2ban`, on doit (re)démarré

`fail2ban`:

``` shell

# Lancer pour la première fois

sudo systemctl start fail2ban

100

sudo systemctl enable fail2ban

101

102

# Redémarré

103

sudo systemctl restart fail2ban

104

105

# Vérifier que le service fonctionne

106

sudo systemctl status fail2ban

107

```

108

109

## Jails

110

111

Pour vérifier quelles jails sont active:

112

113

``` shell

114

sudo fail2ban-client status

115

```

116

0eec40	theophile	2025-12-21 19:08:09
title hierachy cleanup

117

### Mailu setup

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

118

119

[[%%//%%mailu.io/2024.06/faq.html#do-you-support-fail2ban]]

120

121

If you use a reverse proxy in front of Mailu, it is vital to set the

122

environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these

123

environment variables, Mailu will not trust the remote client IP passed

124

on by the reverse proxy and as a result your reverse proxy will be

125

banned.

126

127

See the [configuration

128

reference](https://mailu.io/2024.06/configuration.html#reverse-proxy-headers)

129

for more information.

130

131

Assuming you have a working Fail2Ban installation on the host running

132

your Docker containers, follow these steps:

133

134

- In the mailu docker compose set the logging driver of the front

135

container to `journald`; and set the tag to `mailu-front`

136

137

``` yaml

138

logging:

139

driver: journald

140

options:

141

tag: mailu-front

142

```

143

144

- Add the `/etc/fail2ban/filter.d/bad-auth-bots.conf`

145

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

146

``` ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

147

[Definition]

148

failregex = ^s?S+ mailu-front[d+]: S+ S+ [info] d+#d+: *d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:

149

ignoreregex =

150

journalmatch = CONTAINER_TAG=mailu-front

151

```

152

153

- Add the `/etc/fail2ban/jail.d/bad-auth-bots.conf`

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

154

```ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

155

[bad-auth-bots]

156

    enabled = true

157

    backend = systemd

158

    filter = bad-auth-bots

159

    bantime = 604800

160

    findtime = 600

161

    maxretry = 5

162

    action = docker-action-net

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

163

```

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

164

The above will block flagged IPs for a week, you can of course change it

165

to your needs.

166

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

167

- Add the following to `/etc/fail2ban/action.d/docker-action-net.conf`

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

168

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

169

:::info

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

170

You have to install ipset on the host system, eg.

171

`apt-get install ipset` on a Debian/Ubuntu system.

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

172

:::

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

173

174

175

See ipset homepage for details on ipset, <https://ipset.netfilter.org/>.

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

176

```ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

177

[Definition]

178

179

    actionstart = ipset --create f2b-bad-auth-bots nethash

180

                  iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

181

182

    actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP

183

ipset --destroy f2b-bad-auth-bots

184

185

    actionban = ipset add -exist f2b-bad-auth-bots <ip>/24

186

187

    actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

188

```

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

189

190

Using DOCKER-USER chain ensures that the blocked IPs are processed in

191

the correct order with Docker. See more in:

192

<https://docs.docker.com/network/iptables/>.

193

194

Please note that the provided example will block the subnet from sending

195

any email to the Mailu instance.

196

197

- Configure and restart the Fail2Ban service

198

199

Make sure Fail2Ban is started after the Docker service by adding a

200

partial override which appends this to the existing configuration.

201

202

sudo systemctl edit fail2ban

203

204

Add the override and save the file.

205

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

206

``` ini

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

207

[Unit]

208

After=docker.service

209

```

210

211

Restart the Fail2Ban service.

212

213

``` shell

214

sudo systemctl restart fail2ban

215

```

216

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

217

218

## Troubleshooting

219

b61f5c	theophile	2026-01-20 11:17:53
How to whitelist an IP adress

220

### Unban

221

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

222

Pour vérifier si une adresse a été ban, on a plusieurs possibilité:

223

224

```bash

225

less /var/log/fail2ban.log | grep  YOUR_IP

226

```

b61f5c	theophile	2026-01-20 11:17:53
How to whitelist an IP adress

227

0f24b9	theophile	2025-12-21 19:07:23
added troubleshooting, general page cleanup with blocks

228

229

```bash

230

sudo fail2ban-client set THE_JAIL_NAME unbanip YOUR_IP

231

```

232

b61f5c	theophile	2026-01-20 11:17:53
How to whitelist an IP adress

233

## Whitelist (to avoid ban in the first place)

234

486290	theophile	2026-01-20 11:20:14
codeblock correct lang syntax highlighting, and improved sencence

235

Edit the `/etc/fail2ban/jail.local` `ignore_ip` field, by appending at the end of the line your routers IP adress. 

b61f5c	theophile	2026-01-20 11:17:53
How to whitelist an IP adress

236

Then restart the fail2ban service:

237

238

```bash

239

sudo systemctl restart fail2ban

240

```

241

and check that it runs correctly:

242

243

```bash

244

systemctl status fail2ban

245

```

246

bdaa32	theophile	2026-02-10 18:57:20
added mention of whitelisting home network ip.

247

Make sure that your home router's IP is in the whitelisted ips.

248

86372d	admin	2025-09-03 14:13:59
added original dokuwiki page

249

## Sources

250

251

- https://wiki.archlinux.org/title/Fail2ban

252

- https://doc.ubuntu-fr.org/fail2ban

253

- https://help.ubuntu.com/community/Fail2ban

254

-   https://infosecwriteups.com/10-essential-ssh-server-security-tips-best-practices-b5643e3d509b#8533