Fail2ban is a popular tool for securing cloud applications from brute-force attacks. It works by monitoring log files, detecting multiple failed login attempts, and automatically banning the offending IPs. For detailed information about Fail2ban software, you are welcome to visit the project page on GitHub: https://github.com/fail2ban.

For cloud tenants in the European Weather Cloud (EWC), Fail2ban comes preconfigured on virtual machine (VM) images, ensuring that your application is protected from malicious attempts right from the start. In EWC, this is implemented as 5 consecutive failed attempts (maxretry = 5). It's worth mentioning that the ban is lifted after an hour (bantime = 1h).

Reviewing Banned IPs

Check Fail2ban Status
To get an overview of Fail2ban, including active jails (e.g., SSH):

 sudo fail2ban-client status


Check the IPs Banned by a Specific Jail (e.g., SSH)
To see which IPs are banned under a specific jail like SSH:

 sudo fail2ban-client status sshd

Managing Banned IPs

Unban an IP Address
If a legitimate IP is banned by mistake, you can manually unban it:

 sudo fail2ban-client unban <IP_ADDRESS>


Then restart Fail2ban to apply the changes:

 sudo systemctl restart fail2ban

Whitelisting IPs

Fail2ban allows you to whitelist trusted IP addresses, which will never be banned, even if they trigger alerts. This is particularly useful for known IPs, such as those used by employees or internal services.

Steps to Whitelist an IP:

  1. Open the configuration file for the jail you want to modify (for example, SSH):

     sudo nano /etc/fail2ban/jail.local


  2. Find the jail configuration (e.g., [sshd]), and add the IPs you wish to whitelist under ignoreip. You can list multiple IPs separated by spaces:

     [sshd] ignoreip = 192.168.1.1 203.0.113.50


  3. Finally, restart Fail2ban to apply the changes:

     sudo systemctl restart fail2ban


Whitelisting an IP Range
If your organization operates from a range of IPs, you can whitelist the entire range to avoid mistakenly banning legitimate users. Add the IP range in CIDR notation to the ignoreip directive:

ignoreip = 203.0.113.0/24

This command will whitelist all IPs in the range 203.0.113.0 to 203.0.113.255.

Firewall Configuration for Fail2ban on User VMs

In the European Weather Cloud (EWC), Fail2ban requires a firewall to be installed and properly configured on your virtual machines (VMs). Depending on the operating system of your VM, this will typically involve using UFW (for Ubuntu) or firewalld (for CentOS/Rocky Linux). Ensure that the necessary ports are open for Fail2ban to manage IP bans effectively.

Example for UFW (Ubuntu VMs):

  1. Enable UFW if it’s not already enabled:

     sudo ufw enable


  2. Allow necessary ports (e.g., SSH):

     sudo ufw allow ssh


  3. Reload UFW to apply changes:

     sudo ufw reload


Example for firewalld (CentOS/Rocky Linux VMs):

  1. Start and enable firewalld:

     sudo systemctl start firewalld sudo systemctl enable firewalld


  2. Allow necessary ports (e.g., SSH):

     sudo firewall-cmd --permanent --add-service=ssh


  3. Reload firewalld to apply changes:

     sudo firewall-cmd --reload


Creating Another Jail (Optional)

If you need to protect additional services besides SSH, you can create new jails in the Fail2ban configuration. For example, to create a jail for Apache, follow these steps:

  1. Open Fail2ban Configuration:

    sudo nano /etc/fail2ban/jail.local

  2. Add a New Jail Section:
    In the configuration file, add a new section for the service you wish to protect. For example, to add an Apache jail:

    [apache]
    enabled = true
    port = http,https
    filter = apache-auth
    logpath = /var/log/apache2/*error.log
    maxretry = 5
    bantime = 1h

  3. Restart Fail2ban to apply the changes:

     sudo systemctl restart fail2ban


  • No labels