Configuring Fail2Ban on Arch Linux (2021)

fail2ban is a daemon that scans log files for regular expressions and can ban clients who generate matches in said log files. The administrator may control a large amount of policy knobs to control the banning. This article demonstrates the steps necessary to setup bans to avoid ssd pre-shared key failure DDoS attacks, since it's wasn't an out-of-the-box experience at the time of writing.

First, install fail2ban

pacman -S fail2ban

Read jail.conf(5).

Open /etc/fail2ban/jail.conf and make configuration changes in /etc/fail2ban/jail.local.

The service configuration is in /etc/fail2ban/fail2ban.conf.

The components that scan for regular expression matches are in the /etc/fail2ban/filter.d directory. For sshd, look at /etc/fail2ban/filter.d/sshd.conf for the regexs.

An example jail.local, overriding some defaults, and picking some jails to enable (by default, no jails are enabled),

cat /etc/fail2ban/jail.local 
[DEFAULT]
bantime.rndtime=300
# These IPs will never be banned (purely for example). I put some other static IPs I control here to I've always got a backdoor
ignoreip = 127.0.0.1/8 ::1 google.com 1.1.1.1
bantime = 1d

[sshd]
enabled = true
# Without this, pre-shared key failures are not bannable offenses
mode = aggressive

[nginx-http-auth]
enabled = true
logpath = /var/log/nginx/error.log

[nginx-botsearch]
enabled = true

Once the configuration for the site is complete, enable and start the service,

systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban

Monitor the service in action,

journalctl -fu fail2ban.

After making further configuration changes, restart the service,

systemctl restart fail2ban

To see what matches the daemon has processed for sshd,

fail2ban-client status sshd

To see all active jails,

fail2ban-client status

To test whether an log line you wish to block on is being hit by the regex machinary,

fail2ban-regex "Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]"  sshd.conf

May also scan the journal directory while testing,

fail2ban-regex systemd-journal[journalflags=1] sshd

To clear all current bans,

fail2ban-client  unban --all

fail2ban uses iptables by default to setup bans, and it will use DNS if available, again by default. Most defaults are configurable.

Example jail chain,

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  fanzine2.igalia.com  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Created: 2021-11-28 Sun 17:57

Validate