Jul 162013

As I have mentioned before, fail2ban is a daemon that scans defined log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. It is a must tool, especially if you would want to allow ssh access from outside your local network. It is an automated script that scans the log files for you and jails the intruders. It supports a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc) and can be integrated with your iptables. It can also be configured to prevent WordPress spamming and unwanted intrusions. And, yes, it works! Just look here: fail2ban log.


Fail2ban requires Python 2.4 (or higher) installed on your system. To make sure it’s there, type:

dpkg --get-selections | grep python

If you don’t know how to install Python, try THIS automated script (remember to make it executable by sudo chmod ugo+x python27_on_debian.sh).

To install fail2ban on Raspbian, type (to install the software from sources, head here):

sudo apt-get install fail2ban

The daemon should start automatically, but if it doesn’t, try executing sudo service fail2ban start command.


You can configure fail2ban to cooperate with any service you want – ssh, ftp, web server, just anything that connects to the internet and might be vulnerable to external attacks. It’s really easy easy to set fail2ban jails that tell the daemon where to look for intrusions, how much of them allow before banning the intruder and for how long. Not to copy-paste every single bit of the world wide web, for a default configuration of the software, head here.


The service depends on jails, which are configuration files containing declarations of your jails. By default, they contain examples of what might be configured. Every jail can be customized by tuning following options:

Jail Options
filterName of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath/var/log/messagesPath to the log file which is provided to the filter
maxretry3Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime600 secThe counter is set to zero if no match is found within "findtime" seconds.
bantime600 secDuration (in seconds) for IP to be banned for. Negative number for "permanent" ban.

Fail2ban filters are located in /etc/fail2ban/filter.d/ directory by default. They contain regular expressions used to detect break-in attempts, password failures, etc. For example, filter.d/sshd.conf contains 3 possible regular expressions to match the lines of the logfile:

This corresponds to log lines such as:

Jul 13 00:44:53 RaspberryPi sshd[19445]: Failed password for invalid user nobody from port 54516 ssh2

And, depending on maximum number of matches you’ve allowed, jails the recorded user and logs it to /var/log/fail2ban.log file:

2013-07-13 00:44:53,400 fail2ban.actions: WARNING [ssh] Ban

and unbans it after the set period of time:

2013-07-14 00:44:53,400 fail2ban.actions: WARNING [ssh] Unban

Integrating fail2ban with WordPress

You probably have some plugins installed already, such as Akismet, that catch spam on your blog, but it’s a good idea, especially if you run Raspberry Pi with SD card that has a relatively short lifespan, to integrate fail2ban with the existing service. Many spammers post a huge deal of  comments from a single IP. The volume, even if they’ve been correctly marked as spam, makes it difficult to monitor the spam queue. Even if spam never appears on your blog, it still wastes valuable resources of your server. Low-memory servers need all available resources for serving legitimate users. Banning spammers at the firewall before they ever connect to your web server is very efficient. There is a script for that purpose – spam-log – that you install into your WordPress plugins. What it does?

Spam-log simply logs a message every time a comment is marked as spam. Each message contains the IP address of a spammer and comment ID. Than the log is processed by fail2ban and bans the misbehaving IP.

Spam-log: Installation

1. Go into your WordPress plugin directory:

cd /path/to/your/wp-content/plugins

2. Download the plugin with wget:

wget http://static.shadypixel.com/files/spam-log-0.1.tar.gz

3. Unpack it to your WordPress plugin folder (if that doesn’t work, add sudo at the beginning of the command):

tar xvjf spam-log-0.1.tar.gz

4. Active the plugin through the WordPress Admin menu.

5. Set the location of the spam log through Spam Log’s Options page in the WordPress Admin menu. By default, the location is set to wp-content/spam.log. The file or containing directory needs to be writeable by the user that the web server runs as. On Debian or Ubuntu systems, you can do the following:

sudo touch /path/to/spam.log
sudo chown www-data:www-data /path/to/spam.log

fail2ban: Configuration

1. Create spam-log configuration file:

sudo nano /etc/fail2ban/filter.d/spam-log.conf

with the following contents:

2. Add the following lines to /etc/fail2ban/jail.local:

This configuration will ban an IP address for a day if it’s used to post 5 comments within an hour that are marked as spam. You can change the maxretry to suit your needs, but be cautious with decreasing it, as there’s a risk that you will ban legitimate users.

Tune up for more security advices coming soon!


    i’ve installed fail2ban some time ago, but it blocked my raspberry completely, so i don’t use it now. i’m connected with the internet all the time and never been hacked, so i think it’s useless…

    • http://www.bartbania.com/ Bart Bania

      huh, maybe you wanted to configure too much services at a time, or your iptables interfered with fail2ban. It works smooth for me, no problems at all. And it already blocked several attempts of attacks on my ssh port, most of which were coming from China… I wouldn’t say it’s useless, in fact, it’s very helpful in securing your machine – it automates all the work you would have to do with itpables alone.
      You say you’ve never been attacked? Than you must be the one in a million lucky fella!

  • Przemo

    Tkans for the post! I just installed fail2ban after I discovered _tons_ of failed login attempts in auth.log.
    @SDTRMG you are not for real, are you? fail2ban useless just because you have never been hacked?? BTW how do you know that you have not been hacked? :-)

    • http://www.bartbania.com/ Bart Bania

      yup, it’s one of the most useful self-defence tools on Linux. works silently with minimal resources and blocks, in ma case – mostly the, so-called, hackers who just try different usernames. good to have it on board.

  • Pingback: Links: Raspberry Pi / Linux security series » TechNotes()

  • Pingback: Rsync backup Synology to Raspberry Pi - Alexander's Blog()