Now that I'm monitoring my logs using cetralised RSyslog, I regularly notice SSH attacks right when and as they happen. When it becomes obvious that someone's trying to brute-force SSH, I don't always wait to let fail2ban fix the issue – sometimes I ban the offending IP myself.
How To Ban Specific IP with fail2ban
Assuming a standard install, we'll use the fail2ban-client command to notify sshd jail module to ban a specific IP.
Here's how it works:
root@s1:/etc/fail2ban # fail2ban-client -vvv set sshd banip 184.108.40.206 30 7F0B121F6640 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban 30 7F0B121F6640 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban 31 7F0B121F6640 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf 31 7F0B121F6640 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 31 7F0B121F6640 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf 31 7F0B121F6640 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 31 7F0B121F6640 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf 32 7F0B121F6640 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock 32 7F0B121F6640 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to SYSLOG 32 7F0B121F6640 fail2ban HEAVY CMD: ['set', 'sshd', 'banip', '220.127.116.11'] 48 7F0B121F6640 fail2ban HEAVY OK : 1 48 7F0B121F6640 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'banip', '18.104.22.168'] 1 48 7F0B121F6640 fail2ban DEBUG Exit with code 0
Once you become comfortable, you can omit the -vvv option and skip all this verbose output:
root@s1:/etc/fail2ban # fail2ban-client set sshd banip 22.214.171.124 1
That's it for today! Have fun!