Image Description


I’m using fail2ban to block script kiddies. Here is one line what you will find in your auth.log

May 11 05:32:14 srv01 sshd[79609]: Invalid user postgres from port 46504

This description can help you how to install and configure fail2ban I will update this post with new infos.

Installation - Ubuntu / Debian

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban

Installation FreeBSD

sudo pkg install py37-fail2ban


Configuration Ubuntu / Devian

cd /etc/fail2ban
sudo vi jail.local

This configuration is for the sshd daemon. If a user fails to connect three times (maxretry = 3) within 24 hours (findtime = 24h) to login via ssh, he will get banned indefinitely (bantime = -1).

# SSH servers

enabled = true
filter = sshd
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode   = aggressive
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
banaction = iptables-multiport
bantime = -1
maxretry = 3
findtime = 24h

Configuration FreeBSD

in /usr/local/etc/fail2ban/jail.d/bsd-sshd.conf

Slightly different configuration. Here I use a bantime of 24h (86400s)

enabled = true
filter = bsd-sshd
port = ssh
logpath = /var/log/auth.log
findtime = 24h
maxretry = 3

bantime  = 86400


List banned IPs

Via fail2ban-client

sudo fail2ban-client status <jail name>
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	2
|  |- Total failed:	5
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:

via iptables

sudo iptables --list --line-numbers --numeric
sudo iptables --list --line-numbers --numeric
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    f2b-sshd   tcp  --              multiport dports 22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain f2b-sshd (1 references)
num  target     prot opt source               destination         
1    REJECT     all  --            reject-with icmp-port-unreachable
2    REJECT     all  --            reject-with icmp-port-unreachable
3    RETURN     all  --             

with ‘pfctl’ - FreeBSD

sudo pfctl -a "f2b/bsd-ssh-pf" -t f2b-bsd-ssh-pf -Ts

Ban and unban manually


sudo fail2ban-client set <JAIL> banip <IP>


sudo fail2ban-client unban <IP>

Test the filter

fail2ban-regex <logfile> <failregex> <ignoreregex>

I had some trouble with banning IPs. Therefore I’ve greped the IP and put it into a file. (The problem was not fail2ban but the firewall configuration ;-) )

Example with a positive test

sudo grep auth.log > /tmp/test.log

And test it with

sudo fail2ban-regex /tmp/test.log /etc/fail2ban/filter.d/sshd.conf 

Running tests

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /tmp/test.log
Use         encoding : UTF-8


Failregex: 53 total
|-  #) [# of hits] regular expression
|   8) [53] ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*(?: \[preauth\])?\s*$

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [222] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?

Lines: 222 lines, 0 ignored, 53 matched, 169 missed
[processed in 1.53 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 169 lines

The Failregex: 53 total is the relevant line.

Example with a negative test

Here is an example with an IP that wasn’t recognized by the filter

sudo grep /var/log/auth.log > /tmp/test1.log
sudo fail2ban-regex /tmp/test1.log /etc/fail2ban/filter.d/sshd.conf 

Running tests

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /tmp/test1.log
Use         encoding : UTF-8


Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?

Lines: 3 lines, 0 ignored, 0 matched, 3 missed
[processed in 0.12 sec]

|- Missed line(s):
|  Apr 22 16:01:02 raspberrypi sshd[14285]: Received disconnect from port 63194:11:  [preauth]
|  Apr 22 16:01:02 raspberrypi sshd[14285]: Disconnected from port 63194 [preauth]