Fail2ban is a popular tool for securing cloud applications from brute-force attacks. It works by monitoring log files, detecting multiple failed login attempts, and automatically banning the offending IPs. For detailed information about fail2ban software you are welcome to visit the project page on github: https://github.com/fail2ban

For cloud tenants in the European Weather Cloud (EWC), Fail2ban comes preconfigured on virtual machine (VM) images, ensuring that your application is protected from malicious attempts right from the start. In EWC this is implemented as 5 consecutive failed attempts (maxretry = 5). It's worth mentioning that the ban is lifted after an hour (bantime = 1h).

To review the list of currently banned IPs you can:

• Check Fail2ban Status
  To get an overview of Fail2ban, including active jails (e.g., SSH):
  sudo fail2ban-client status

• Check the IPs Banned by a Specific Jail (e.g., SSH)
  If you want to see which IPs are banned under a specific jail like SSH:
  sudo fail2ban-client status sshd
  
  This will display the list of currently banned IP addresses for that service.

Managing banned IP's:

• Unban an IP Address
  If a legitimate IP is banned by mistake, you can manually unban it:
  sudo fail2ban-client unban <IP_ADDRESS>

• Whitelisting IPs
  Fail2ban allows you to whitelist trusted IP addresses, which will never be banned, even if they trigger alerts. This is particularly useful if you have known IPs, such as those used by employees or internal services.
  
  Steps to Whitelist an IP:

1. 1. Edit Fail2ban Configuration
      Open the configuration file for the jail you want to modify (for example, SSH):
      sudo nano /etc/fail2ban/jail.local


   2. Add IPs to the ignoreip Directive
      Find the jail configuration (e.g., [sshd]), and add the IPs you wish to whitelist under ignoreip.
      Separate multiple IP addresses with spaces:
      [sshd]
ignoreip = 192.168.1.1 203.0.113.50


   3. Restart Fail2ban to apply the changes:
      sudo systemctl restart fail2ban

• Whitelisting an IP Range
  If your organization operates from a range of IPs, you can whitelist the entire range to avoid mistakenly banning legitimate users.
  Add the IP range in CIDR notation to the ignoreip directive:
  ignoreip = 203.0.113.0/24
  
  This will whitelist all IPs in the range 203.0.113.0 to 203.0.113.255.