Fail2Ban is a great tool to prevent password guessing on your server or website. However we always run into the issue that the limit was either too high or low. What it really needs is a way of banning the users who try again and again forever.
When banning an IP forever you have to be extra careful to not ban Googlebot or other important web crawler.
- Create
/usr/local/bin/ignore_ip_check.shwhich resolves the IP to see if it’s any known web crawler that must not be banned.
#!/bin/bash
IP="$1"
HOSTRESULT=$(host -W 1 ${IP})
REGEX='.*(googlebot\.com|google\.com|search\.msn\.com|yandex\.ru|yandex\.net|yandex\.com)\.$'
if [[ "$HOSTRESULT" =~ $REGEX ]]; then exit 0; else exit 1; fi-
Make sure other users can execute it using
chmod u+x /usr/local/bin/ignore_ip_check.sh. -
Create the new Fail2Ban filter in
/etc/fail2ban/filter.d/repeated.conf:
# Fail2Ban configuration file
#
# Author: Foliovision
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = fail2ban\.actions\s*
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?:sshd|wordpress)\]\s+Ban\s+<HOST>\s*$This file gives Fail2Ban the regex to use for log file parsing.
- Create the new Fail2Ban jail in
/etc/fail2ban/jail.d/repeated.conf.
[repeated]
enabled = true
filter = repeated
logpath = /var/log/fail2ban.log
port = http,https
maxretry = 3
findtime = 86400
bantime = 5184000
ignoreip = 127.0.0.1 {your server IP}
ignorecommand = /usr/local/bin/ignore_ip_check.sh <ip>This file tells Fail2Ban which file to scan – it’s the actual Fail2Ban log file!
- Run
fail2ban-client reloadandfail2ban-client status, you should now seerepeatedin the list:
# fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: repeated, sshd, waf, wordpress- Now you can try to guess the password too many times (use your VPN or a spare server), then unban the IP using
fail2ban-client, try to guess the password once again and you should find the IP on thefail2ban-client status repeatedblock list.
