53

How do I ban an attacker IP with Fail2Ban manually by command line?

udgru
  • 1,277
  • 5
  • 14
  • 26

3 Answers3

164

fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ

Check the jail where to add the IP using fail2ban-client status

Both commands may require to be executed as sudoer. In this case add a sudo before them.

Marco
  • 2,389
  • 2
  • 16
  • 19
  • 4
    `sudo iptables -nL` - May help, too. Will give you a quick IP ban list (if using iptables) and show who is in each iptables jail. – B. Shea Jul 13 '16 at 16:58
  • 2
    Works great but please stop telling people to use `sudo` everywhere, to anyone running a server where fail2ban is required it's blatantly obvious that `root` access is required to alter the firewall, and in some cases `sudo` isn't even available in some high security or embedded configurations. – Geoffrey May 02 '19 at 04:35
  • 3
    "in some cases sudo isn't even available in some high security or embedded configurations" - I've worked with highly secure systems where sudo is the *only* way to get root - and the question was tagged as Ubuntu which does not allow direct access to the root account by default. – symcbean Dec 02 '19 at 18:35
  • 2
    Tip: To _unban_ an address, use the same command with "unbanip" instead of "banip" – Sam Sirry Apr 12 '20 at 21:33
  • What is -vvv for? – Altimus Prime Jun 25 '20 at 02:51
  • 1
    @AltimusPrime increases verbosity of the output. It's much more verbose than -v – Marco Jun 26 '20 at 08:04
  • Tip #2: You can now ban/unban multiple IPs, using `fail2ban-client -vvv set JAIL banip A.B.C.D E.F.G.H.I J.K.L.M .... W.X.Y.Z` – Gwyneth Llewelyn Nov 07 '20 at 20:54
  • 1
    An aside for those arguing about the merits of specifying "sudo" before admin commands: if you're tired of prefixing every command with "sudo", and you'd like to just get a root shell like in the good old days, you can use "sudo -s" to get a local root shell or "sudo -i" to get a LOGIN root shell. Thanks for the fail2ban help. – Alan Porter Nov 24 '20 at 14:58
  • @Geoffrey: I don't see why "sudo" should be less secure than "su". The former requires the admin to have identified herself first, whereas a shared root password is anonymous. – Raúl Salinas-Monteagudo Dec 29 '22 at 08:09
  • @RaúlSalinas-Monteagudo you completely missed the point, it's obvious that root permissions are required to perform these tasks. `sudo` is NOT the only way to obtain root, you can login directly as root with a SSH private key for the root account for instance. People need to stop instructing others to use `sudo` blindly. It leads to people just executing commands as root without understanding the consequences of doing so. – Geoffrey Dec 30 '22 at 08:13
19

Ban IP manually


fail2ban-client set jail_name banip xx.xx.xx.xx
Ahmed Shehab
  • 1,657
  • 15
  • 24
  • 3
    `fail2ban-client set sshd banip 11.22.33.44` `fail2ban-client set sshd unbanip 11.22.33.44` – fcm Jan 14 '21 at 13:51
  • While this works, it is only temporary. I have used it to ban an IP, and fail2ban then unbanned it later. How can an ip be permanently banned? By creating a new jail? – Jared Still Jun 09 '21 at 12:31
  • Replying to my own earlier comment. The answer seems to be upgrading to fail2ban 11, as it deals with repeat offenders by incrementing the ban time. – Jared Still Jun 09 '21 at 13:16
  • 1
    @JaredStill as far as I remember fail2ban by default uses sqilte database to keep track of these IPs and you need to configure the parameter actionstart to reapply the ip record from the db. check configuration documentation . – Ahmed Shehab Jun 09 '21 at 13:28
  • 1
    also be careful with the above command, it reset my fail2ban and all trusted IPs were lost. – Waqas Khan Oct 15 '21 at 14:45
-18

You ban him manually by adding his IP to the firewall. If you are using UFW, then you write something like this in your command line:

ufw insert 1 deny from <ip> to any

But you do not want to do that manually - the purpose of Fail2Ban is to ban someone automatically. Use this tutorial to configure Fail2Ban to automatically update your UFW rules. The importan part is to add banaction = ufw-SOMETHING to your jail.conf, and then create ufw-SOMETHING.conf in the /etc/fail2ban/action.d/ folder with the following content:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any
actionunban = ufw delete deny from <ip> to any

This will ban the IP completely for a predefined amount of time. If you want to ban him until next reboot, omit the actionunban command.

Luke Girvin
  • 13,221
  • 9
  • 64
  • 84
alesc
  • 2,776
  • 3
  • 27
  • 45
  • 1
    I asked for Fail2Ban, sorry ;-) What are the differences between UFW and IPTables? Which one is better? – udgru Mar 12 '15 at 19:28
  • This is for Fail2Ban - at least the second half of the post. Fail2Ban cannot ban the attacker on its own. It has to trigger a firewall rule in order to successfully ban an IP. Did you check the tutorial on the link that I have provided? And regarding iptables vs. ufw: UFW runs on top of iptables. So in both cases you are using iptables, UFW just simplifies your firewall setup (rules). – alesc Mar 12 '15 at 21:22
  • 10
    Says: "with Fail2Ban .. by command line' not: 'with ufw firewall' via filter file. The fail2ban-client can add to your jails by IP as per other answers. Your answer just adds more confusion IMO for end-user. No reason to enter ufw commands into this. The default iptables action of 'reject-with icmp-port-unreachable' is just fine as well. You do highlight (some of) the versatility of fail2ban.. but that's about it. – B. Shea Jul 13 '16 at 16:52