Fail2Ban (to block hammering IPs automatically)

@dickturpin · 2025-09-01 14:06 · fail2ban

Someone's knocking on the door!

Over the past week, I had my Friendica instance hammered by login attempts and bad bots.

This is the process I used to track down the culprits, configure Fail2Ban, and set up email reports so I can keep an eye on what's happening without having to live in the logs for hours on end every day.

THIS IS MY SETUP. USE IT AS A GUIDE. DON'T JUST COPY & PASTE FROM IT!

If you break it, you get to keep all the pieces.

Checking Who Was Hitting the Server

I started by looking at the Apache access logs and live connections to see where the noise was coming from:

  • sudo awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head

  • sudo ss -tn sport = :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

  • sudo ss -tn sport = :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

This quickly showed me that entire ranges (8.217.x.x and 8.218.x.x) were a problem. These turned out to be Alibaba in China. I had no idea they did VPS. I thought they were retail merchants.
I blocked them both at the firewall level:

  • sudo ufw deny from 8.217.0.0/16

  • sudo ufw deny from 8.218.0.0/16

  • sudo iptables -A INPUT -s 8.217.0.0/16 -j DROP

  • sudo iptables -A INPUT -s 8.218.0.0/16 -j DROP

Installing Fail2Ban

With the worst of the noise blocked, I now had a semi-working system and set about installing Fail2Ban:

  • sudo apt update

  • sudo apt install fail2ban

Configuring the Jails

I edited the local jail configuration:

sudo vim /etc/fail2ban/jail.local

Here’s the setup that worked for me:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 MY IP
bantime  = 3600
findtime = 600
maxretry = 5

[apache-badbots]
enabled  = true
port     = http,https
filter   = apache-badbots
logpath  = /var/log/apache2/access.log
maxretry = 3

[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache2/access.log
maxretry = 3

[friendica]
enabled  = true
filter   = friendica
logpath  = /var/log/friendica.log
maxretry = 5
bantime  = 3600

Handling Friendica Logins

Friendica doesn't log failed logins in the same way as many other applications. Instead of giving a straight 401 or 403, it responds with a redirect:

POST /login HTTP/1.1" 302

So a failed login attempt shows up in the Apache access log as a POST /login followed by a 302 redirect back to /login. That’s the pattern I used for my Fail2Ban filter:

sudo vim /etc/fail2ban/filter.d/friendica.conf

[Definition]
failregex = ^ -.* "POST /login HTTP/1\.1" 302 [0-9]+ "https?://.*?/login"
ignoreregex = ^ -.* "POST /login HTTP/1\.1" 302

And then I added a specific jail for it:

[friendica-login]
enabled   = true
port      = http,https
filter    = friendica-login
logpath   = /var/log/apache2/access.log
maxretry  = 3
findtime  = 600
bantime   = 3600
ignoreip  = 127.0.0.1/8 192.168.0.0/16

Restarting and Checking Fail2Ban

Once the configs were in place I restarted Fail2Ban and checked the status:

  • sudo systemctl restart fail2ban

  • sudo fail2ban-client status

  • sudo fail2ban-client status apache-abuse

Email Reports

I installed sendmail so the server could email me reports:

  • sudo apt install sendmail

Then I created a small cron job to email me the status and last bans every three days:

sudo vim /etc/cron.d/f2b-report

# Fail2Ban status report every 3 days
0 9 */3 * * root (echo "Fail2Ban Status"; /usr/local/bin/f2bstatus; echo; echo "Recent Bans"; /usr/local/bin/f2bstatus recent) | sendmail you

Wrap Up

I've got Fail2Ban handling bad bots, Friendica logins being monitored properly, and an email in my inbox every three days reminding me which IPs have been thrown out. It took a fair amount of trial and error to arrive at this point, but this is the working configuration, and my instance is a lot happier.

http://www.castlecannon.house/Hive-Images/divider19.png

My actual name is Pete. This is why I have the username

https://ecency.com/nickname/@dickturpin/dickturpin-why

You can also find me on Social Media

https://mastodon.org.uk/@dick_turpin

https://castlecannon.house/profile/dick_turpin

https://www.facebook.com/peter.cannon3

This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons Licence

License explained: Examples

Create your license: Choose Yours

FOSS, Linux & Creative Commons Advocate.

"Don’t dim your light to fit in with the shadows — shine boldly. The right people will warm to your glow, and the rest were never meant to see you clearly. And when I speak, don’t read what you think I meant; read what I wrote — because my truth isn’t up for interpretation."

#fail2ban #blog #website #linux #foss
Payout: 0.000 HBD
Votes: 27
More interactions (upvote, reblog, reply) coming soon.