Skip to main content

Fail2ban

Metadata

  • Identifier: fail2ban
  • Maturity: Production

Categories

  • Host Intrusion Prevention System

Description

Fail2ban is an intrusion prevention software framework that protects Unix-like servers from brute-force attacks. It scans log files and bans IP addresses conducting too many failed operations (for example, login attempts). This module targets Debian-based operating systems and has already set a SSH jail.

Actions

IdentifierDescriptionExpected Parameters Keys and Types
reload_jailsReload the jail.
restart_serviceRestarts the Fail2ban service.
start_serviceStarts the Fail2ban service.
stop_serviceStops the Fail2ban service.
unbanUnbans an IP address from a jail.jail_name (STRING), ip (STRING)

Information

IdentifierDescriptionTypePropertiesDefault Value
active_jailsActive jailsLIST_OF_STRINGSMETRIC, READ_ONLY
ban_secondsBan duration in secondsINTEGERCONFIGURATION, MANDATORY, WITH_DEFAULT_VALUE, NON_DEDUCTIBLE, WRITABLE3600
banned_ipsBanned IPs from all jailsLIST_OF_STRINGSMETRIC, READ_ONLY
ignored_ipsIPs to ignore. Can identify machines like the pentest-related one or controlled strictly by your cloud provider.LIST_OF_STRINGSCONFIGURATION, OPTIONAL, WITH_DEFAULT_VALUE, NON_DEDUCTIBLE, WRITABLE127.0.0.1
jails_countNumber of set jailsINTEGERMETRIC, READ_ONLY
max_retriesLogin attempts limit above which a user is bannedINTEGERCONFIGURATION, MANDATORY, WITH_DEFAULT_VALUE, NON_DEDUCTIBLE, WRITABLE3
ssh_portPort on which the SSH server runsINTEGERCONFIGURATION, MANDATORY, WITH_DEFAULT_VALUE, NON_DEDUCTIBLE, WRITABLE22

Logs

IdentifierDescriptionLocationFormat
logsDefault log location/var/log/fail2ban.logTEXT

Tests

IdentifierDescriptionType
active_serviceChecks if the Fail2ban service is active.OPERATIONAL
commandChecks if the Fail2ban client is registered as a command.PRESENCE
healthcheckChecks if Fail2ban blocks an IP when identifying multiple logs generated by it.SECURITY
ubuntuChecks if the operating system is Ubuntu.REQUIREMENT

References