Howto ban IP with Fail2Ban manually by command line?

command-line ubuntu-14.04 fail2ban

73,672

Solution 1

You ban him manually by adding his IP to the firewall. If you are using UFW, then you write something like this in your command line:

ufw insert 1 deny from <ip> to any

But you do not want to do that manually - the purpose of Fail2Ban is to ban someone automatically. Use this tutorial to configure Fail2Ban to automatically update your UFW rules. The importan part is to add banaction = ufw-SOMETHING to your jail.conf, and then create ufw-SOMETHING.conf in the /etc/fail2ban/action.d/ folder with the following content:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any
actionunban = ufw delete deny from <ip> to any

This will ban the IP completely for a predefined amount of time. If you want to ban him until next reboot, omit the actionunban command.

Solution 2

fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ

Check the jail where to add the IP using fail2ban-client status

Both commands may require to be executed as sudoer. In this case add a sudo before them.

Solution 3

Ban IP manually


fail2ban-client set jail_name banip xx.xx.xx.xx

73,672

Author by

udgru

Updated on July 09, 2022

Comments

udgru over 1 year

How do I ban an attacker IP with Fail2Ban manually by command line?
udgru over 8 years

I asked for Fail2Ban, sorry ;-) What are the differences between UFW and IPTables? Which one is better?
alesc over 8 years

This is for Fail2Ban - at least the second half of the post. Fail2Ban cannot ban the attacker on its own. It has to trigger a firewall rule in order to successfully ban an IP. Did you check the tutorial on the link that I have provided? And regarding iptables vs. ufw: UFW runs on top of iptables. So in both cases you are using iptables, UFW just simplifies your firewall setup (rules).
B. Shea over 7 years

Says: "with Fail2Ban .. by command line' not: 'with ufw firewall' via filter file. The fail2ban-client can add to your jails by IP as per other answers. Your answer just adds more confusion IMO for end-user. No reason to enter ufw commands into this. The default iptables action of 'reject-with icmp-port-unreachable' is just fine as well. You do highlight (some of) the versatility of fail2ban.. but that's about it.
B. Shea over 7 years

sudo iptables -nL - May help, too. Will give you a quick IP ban list (if using iptables) and show who is in each iptables jail.
Geoffrey over 4 years

Works great but please stop telling people to use sudo everywhere, to anyone running a server where fail2ban is required it's blatantly obvious that root access is required to alter the firewall, and in some cases sudo isn't even available in some high security or embedded configurations.
symcbean almost 4 years

"in some cases sudo isn't even available in some high security or embedded configurations" - I've worked with highly secure systems where sudo is the only way to get root - and the question was tagged as Ubuntu which does not allow direct access to the root account by default.
Sam Sirry over 3 years

Tip: To unban an address, use the same command with "unbanip" instead of "banip"
Altimus Prime over 3 years

What is -vvv for?
localsixosix over 3 years

@AltimusPrime increases verbosity of the output. It's much more verbose than -v
Gwyneth Llewelyn about 3 years

Tip #2: You can now ban/unban multiple IPs, using fail2ban-client -vvv set JAIL banip A.B.C.D E.F.G.H.I J.K.L.M .... W.X.Y.Z
Alan Porter almost 3 years

An aside for those arguing about the merits of specifying "sudo" before admin commands: if you're tired of prefixing every command with "sudo", and you'd like to just get a root shell like in the good old days, you can use "sudo -s" to get a local root shell or "sudo -i" to get a LOGIN root shell. Thanks for the fail2ban help.
fcm almost 3 years

fail2ban-client set sshd banip 11.22.33.44 fail2ban-client set sshd unbanip 11.22.33.44
Jared Still over 2 years

While this works, it is only temporary. I have used it to ban an IP, and fail2ban then unbanned it later. How can an ip be permanently banned? By creating a new jail?
Jared Still over 2 years

Replying to my own earlier comment. The answer seems to be upgrading to fail2ban 11, as it deals with repeat offenders by incrementing the ban time.
Ahmed Shehab over 2 years

@JaredStill as far as I remember fail2ban by default uses sqilte database to keep track of these IPs and you need to configure the parameter actionstart to reapply the ip record from the db. check configuration documentation .
Waqas Khan about 2 years

also be careful with the above command, it reset my fail2ban and all trusted IPs were lost.