Howto ban IP with Fail2Ban manually by command line?
You ban him manually by adding his IP to the firewall. If you are using UFW, then you write something like this in your command line:
ufw insert 1 deny from <ip> to any
But you do not want to do that manually - the purpose of Fail2Ban is to ban someone automatically. Use this tutorial to configure Fail2Ban to automatically update your UFW rules. The importan part is to add
banaction = ufw-SOMETHING to your
jail.conf, and then create
ufw-SOMETHING.conf in the
/etc/fail2ban/action.d/ folder with the following content:
[Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from <ip> to any actionunban = ufw delete deny from <ip> to any
This will ban the IP completely for a predefined amount of time. If you want to ban him until next reboot, omit the
fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ
Check the jail where to add the IP using
Both commands may require to be executed as sudoer. In this case add a
sudo before them.
Ban IP manually
fail2ban-client set jail_name banip xx.xx.xx.xx
udgru over 1 year
How do I ban an attacker IP with Fail2Ban manually by command line?
udgru over 8 yearsI asked for Fail2Ban, sorry ;-) What are the differences between UFW and IPTables? Which one is better?
alesc over 8 yearsThis is for Fail2Ban - at least the second half of the post. Fail2Ban cannot ban the attacker on its own. It has to trigger a firewall rule in order to successfully ban an IP. Did you check the tutorial on the link that I have provided? And regarding iptables vs. ufw: UFW runs on top of iptables. So in both cases you are using iptables, UFW just simplifies your firewall setup (rules).
B. Shea over 7 yearsSays: "with Fail2Ban .. by command line' not: 'with ufw firewall' via filter file. The fail2ban-client can add to your jails by IP as per other answers. Your answer just adds more confusion IMO for end-user. No reason to enter ufw commands into this. The default iptables action of 'reject-with icmp-port-unreachable' is just fine as well. You do highlight (some of) the versatility of fail2ban.. but that's about it.
B. Shea over 7 years
sudo iptables -nL- May help, too. Will give you a quick IP ban list (if using iptables) and show who is in each iptables jail.
Geoffrey over 4 yearsWorks great but please stop telling people to use
sudoeverywhere, to anyone running a server where fail2ban is required it's blatantly obvious that
rootaccess is required to alter the firewall, and in some cases
sudoisn't even available in some high security or embedded configurations.
symcbean almost 4 years"in some cases sudo isn't even available in some high security or embedded configurations" - I've worked with highly secure systems where sudo is the only way to get root - and the question was tagged as Ubuntu which does not allow direct access to the root account by default.
Sam Sirry over 3 yearsTip: To unban an address, use the same command with "unbanip" instead of "banip"
Altimus Prime over 3 yearsWhat is -vvv for?
localsixosix over 3 years@AltimusPrime increases verbosity of the output. It's much more verbose than -v
Gwyneth Llewelyn about 3 yearsTip #2: You can now ban/unban multiple IPs, using
fail2ban-client -vvv set JAIL banip A.B.C.D E.F.G.H.I J.K.L.M .... W.X.Y.Z
Alan Porter almost 3 yearsAn aside for those arguing about the merits of specifying "sudo" before admin commands: if you're tired of prefixing every command with "sudo", and you'd like to just get a root shell like in the good old days, you can use "sudo -s" to get a local root shell or "sudo -i" to get a LOGIN root shell. Thanks for the fail2ban help.
fcm almost 3 years
fail2ban-client set sshd banip 22.214.171.124
fail2ban-client set sshd unbanip 126.96.36.199
Jared Still over 2 yearsWhile this works, it is only temporary. I have used it to ban an IP, and fail2ban then unbanned it later. How can an ip be permanently banned? By creating a new jail?
Jared Still over 2 yearsReplying to my own earlier comment. The answer seems to be upgrading to fail2ban 11, as it deals with repeat offenders by incrementing the ban time.
Ahmed Shehab over 2 years@JaredStill as far as I remember fail2ban by default uses sqilte database to keep track of these IPs and you need to configure the parameter actionstart to reapply the ip record from the db. check configuration documentation .
Waqas Khan about 2 yearsalso be careful with the above command, it reset my fail2ban and all trusted IPs were lost.