yum install epel-release
——————————
dnf install fail2ban
Installed:
esmtp-1.2-19.el9.x86_64 fail2ban-1.0.2-12.el9.noarch
fail2ban-firewalld-1.0.2-12.el9.noarch fail2ban-selinux-1.0.2-12.el9.noarch
fail2ban-sendmail-1.0.2-12.el9.noarch fail2ban-server-1.0.2-12.el9.noarch
libesmtp-1.0.6-24.el9.x86_64 liblockfile-1.14-10.el9.0.1.x86_64
Complete!
——————————
fail2ban-client start
Server ready
——————————
Check fail2ban is working or not! working
pstree | grep fail2ban
|-fail2ban-server—2*[{fail2ban-server}]
Another method checking fail2ban working or not!
fail2ban-client ping
Server replied: pong
——————————
When anything about fail2ban modified, reload fail2ban!
fail2ban-client reload
fail2ban-client restart
fail2ban-client stop
——————————
Let fail2ban run automatically while system boot or reboot.
systemctl enable fail2ban
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.
——————————
systemctl status fail2ban
? fail2ban.service – Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: disabled)
Active: inactive (dead)
Docs: man:fail2ban(1)
——————————
fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
——————————
fail2ban-client status sshd
fail2ban-client unban 192.168.2.102
fail2ban-client unban –all
iptables -L -n
init 6 = reboot
===========================================
/etc/fail2ban/filter.d/nginx-4xx.conf
[Definition]
failregex = ^<HOST>.*”(GET|POST).*” (404|444|403|400) .*$
ignoreregex =
/etc/fail2ban/jail.local
add the following code at the end of jail.local
[nginx-4xx]
enabled = true
port = http,https
filter = nginx-4xx
logpath = /home/wwwlogs/access.log
action = iptables-multiport[name=404, port=”http,https”, protocol=tcp]
bantime = 1800
findtime = 30
maxretry = 5
===========================================
/etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
# Override the default global configuration
# for specific jail sshd
logpath = /home/wwwlogs/access.log
bantime = 1d
maxretry = 1
===========================================
/etc/fail2ban/filter.d/nginx-cc.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
/etc/fail2ban/jail.d/nginx-cc.local
[nginx-cc]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 200
findtime = 10
bantime = 86400
logpath = /home/wwwlogs/access.log
===========================================
How to Ignore Google Bots on Fail2Ban?
cd /usr/local/bin
touch ignore_ip_check.sh && chmod +x ./ignore_ip_check.sh
Edit the file and add the following contents:
#!/bin/bash
IP=”$1″
HOSTRESULT=”$(host -W 1 ${IP})”
REGEX=’.*(googlebot\.com\.|google\.com\.)’
if [[ “$HOSTRESULT” =~ $REGEX ]]; then exit 0; else exit 1; fi
Update jail.local
Now, in /etc/fail2ban, edit the jail.local file.
There is a section for ignorecommand =
This will need to be updated as follows:
ignorecommand = /usr/local/bin/ignore_ip_check.sh <ip>
===========================================