Linux fail2ban Setup
Introduction
fail2ban is a tool to monitor http requests and activate ip firewall based on a config
How I use it
On my domain I monitor for 403 http codes if this is found then the IP is blocked for a configurable amount to time. We need to -Install fail2ban (just use apt) -Make a filter -Make/Append jail.local -Restart
Make a filter
To make a filter you pointer you create a file in /etc/fail2ban/filters.d. In this case we look for 403 errors and extract the remote host
[Definition]
failregex = ^.*"remote_ip":\s*"<HOST>".*"status":\s*403
datepattern = "ts": {UNIX_TIMESTAMP}
ignoreregex =Make/Append jail.local
If it exists append to /etc/fail2ban/jail.local
[caddy-json]
enabled = true
filter = caddy-json
port = http,https
logpath = /var/log/caddy/caddy_blah.access.log
maxretry = 5
findtime = 600
bantime = 3600Restart
sudo systemctl restart fail2ban
The robot mucked mine up the first time through but you can check with
sudo fail2ban-regex /var/log/caddy/access.json /etc/fail2ban/filter.d/caddy-json.conf
Once all working you can list bans with
fail2ban-client status caddy-json
This shows
Status for the jail: caddy-json
|- Filter
| |- Currently failed: 0
| |- Total failed: 26
| `- File list: /var/log/caddy/caddy_blah.access.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:To remove a ban you can do the following (replace the IP you fool)
sudo fail2ban-client set caddy-json unbanip 10.10.10.10