How to view and remove banned IP's from Fail2ban on Ubuntu 10.04
Submitted by ingram on Tue, 10/11/2011 - 10:31pm
If you followed the tutorial, "How to Install and Configure fail2ban on Ubuntu 10.04 for SSH and Pure-FTPd" then you should have Fail2ban installed and configured for SSH and Pure-FTPd. You may be curious how to view which IP's are banned or blocked by Fail2ban, or you may wan't to remove some of them from the banned list. To view all addresses that are blocked, run the following command:
sudo iptables -L -n
Banned SSH IP's look like this:
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 192.168.100.100 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Banned ftp IP's look like this:
Chain fail2ban-pure-ftpd (1 references)
target prot opt source destination
DROP all -- 192.168.100.100 0.0.0.0/0
To remove an IP address from the banned SSH list, run the following command:
sudo iptables -D fail2ban-ssh -s banned_ip -j DROP
To remove an IP address fromthe banned FTP list, run the following command:
sudo iptables -D fail2ban-pure-ftpd -s banned_ip -j DROP
To adjust the time that each IP address is banned for, run the following commands:
sudo vim /etc/fail2ban/jail.conf
Look for the line that begins with "bantime" and modify the value listed (the value is listed in seconds).
If you have any more questions, feel free to leave a comment.
Bookmark/Search this post with
- Add new comment
- 13 comments
I have heard of people
I have heard of people configuring fail2ban to simply clobber attempts to login as (for example) root. i.e. ONE strike and you're out!
Is it possible to configure fail2ban to nuke on anything but an allowed user?
Thanks!
Jim (JR)
If you set "maxretry = 0" in
If you set "maxretry = 0" in /etc/fail2ban/jail.conf, you will have that effect. Check out this tutorial on installing and configuring fail2ban for more info on that file.
I'm not sure that I expressed
I'm not sure that I expressed the question properly, so let me try again:
1. There are multiple users that may want to log in.
2. I want to give these users the opportunity to enter their credentials correctly, so maxretry >= 1 or 2, (or so), is a good idea.
3. *HOWEVER* - if someone tries to login as *root* - they fail immediately and are banned immediately.
Is it possible to granularize fail2ban's permissions in that way? Are there other tools that can do this?
Thanks!
Jim (JR)
Jim, I don't believe you can
Jim, I don't believe you can do that with fail2ban, nor am I aware of any software that will do that. I can see how that feature would be useful. Since fail2ban is an open source project, they are open to changes from users. I recommend submitting a feature request here at the SourceForge page. Here is a link to the manual for fail2ban in case I overlooked that feature.
Hey Jim,
Hey Jim,
yes you can do that. Just add a new filter in filter.d directory and add a regex (must be compatible to your logfile) with a set username (e.g. root) and add a specific jail for this filter.
You can however disable root
You can however disable root login via SSH in the SSH configuration. Then only users that are in the sodoers file would have access to root. However, that doesn't ban the IP.
/etc/ssh/sshd_config:
/etc/ssh/sshd_config: PermitRootLogin no
better use keys and sudo..
A useful sshd option is:
A useful sshd option is:
PermitRootLogin without-password
This sounds much worse than it is! It allows root logins, but not using password authentication, only keys; it does NOT mean that root can log in without a password :)
If you disallow root login in
If you disallow root login in sshd config, your /var/log/auth.log will log lines such as these:
User root from 220.181.***.*** not allowed because not listed in AllowUsers
You can then build a jail rule in fail2ban conf to ban the given IP with a filter.
See fail2ban wiki for guidelines on how to build your customized filters.
I have a venture that I am
I have a venture that I am simply now running on, and I’ve been at the glance out for such info.I appreciate all your work and also providing a lot vital tricks for your readers. ffxi gil
Thank you for posting this
Thank you for posting this information. I'd made a mistake from my workstation and had locked myself out of local ssh for about a year, thanks to my overzealous security settings. On the plus side, external access was still available. Thanks to your little 'iptables' tip, I was able to get back in.
One of the great things about
One of the great things about many winter sports resorts is that they are about far more than getting some exercise, or learning some new sporting techniques. They are also about having a lot of fun.I gathered useful information on this point as I am working on a business project. Thank you posting relative information and its now becoming easier to complete this assignment.<a href="http://cheappingg20driver.tumblr.com/" rel=dofollow>Ping G20 Driver</a> | <a href="http://cheappingg15driver.tumblr.com/ rel=dofollow">Ping G15 Driver</a> | <a href="http://pingg20fairwaywood.tumblr.com/" rel=dofollow>Ping G20 Fairway wood</a> | <a href="http://taylormader11sdriver.tumblr.com/" rel=dofollow>TaylorMade R11S driver</a> | <a href="http://cheaptaylormader11driver.tumblr.com/" rel=dofollow>TaylorMade R11 driver</a> | <a href="http://taylormader11leftdriver.tumblr.com/" rel=dofollow>TaylorMade R11 Left driver</a>
thanks worked for my
thanks worked for my wordpress installs
Post new comment