Fail2ban is a popular tool for securing cloud applications from brute-force attacks. It works by monitoring log files, detecting multiple failed login attempts, and automatically banning the offending IPs.

For cloud tenants in the European Weather Cloud (EWC), Fail2ban comes preconfigured on virtual machine (VM) images, ensuring that your application is protected from malicious attempts right from the start.
You might need to manage and monitor Fail2ban to avoid false positives, including cases when your organization uses a range of trusted IPs.

Check Banned IPs

Fail2ban automatically bans IP addresses after detecting suspicious behavior (implemented as 5 failed attempts). To review the list of currently banned IPs:

1. Check Fail2ban Status To get an overview of Fail2ban, including active jails (e.g., SSH):

sudo fail2ban-client status 

2. Check the IPs Banned by a Specific Jail (e.g., SSH) If you want to see which IPs are banned under a specific jail like SSH:

sudo fail2ban-client status sshd

This will display the list of currently banned IP addresses for that service.




Unban an IP Address

If a legitimate IP is banned by mistake, you can manually unban it:

sudo fail2ban-client unban <IP_ADDRESS>


Whitelisting IPs (Excluding Trusted IPs from Fail2ban)


Fail2ban allows you to whitelist trusted IP addresses, which will never be banned, even if they trigger alerts. This is particularly useful if you have known IPs, such as those used by employees or internal services.


Steps to Whitelist an IP:

  1. Edit Fail2ban Configuration Open the configuration file for the jail you want to modify (for example, SSH):
    sudo nano /etc/fail2ban/jail.local

  2. Add IPs to the ignoreip Directive Find the jail configuration (e.g., [sshd]), and add the IPs you wish to whitelist under ignoreip. Separate multiple IP addresses with spaces:
    [sshd]
    ignoreip = 192.168.1.1 203.0.113.50

  3. Restart Fail2ban To apply the changes, restart the Fail2ban service:
    sudo systemctl restart fail2ban



    Whitelisting an IP Range

    If your organization operates from a range of IPs, you can whitelist the entire range to avoid mistakenly banning legitimate users:


    Add the IP range in CIDR notation to the ignoreip directive:

    ignoreip = 203.0.113.0/24

    This will whitelist all IPs in the range 203.0.113.0 to 203.0.113.255.



First draft, will proceed with formatting and review after