Fail2ban is a free and open-source intrusion prevention software framework written in Python. It is used to prevent your server from brute-force attacks by continuously monitoring various service logs for unauthorized access. Fail2ban automatically blocks the client’s IP address after too many failed login attempts and other malicious activities attempting to gain access to your server. Using Fail2ban, you can secure various services such as SSH, vsftpd, nginx, Apache, etc.
However, for various reasons, you may need to allow certain IP addresses access to your server, even if they have been banned by Fail2ban. This tutorial will teach you how to whitelist IP addresses in Fail2ban.
Prerequisites
- A pre-configured system with Fail2ban.
- A user with sudo or root privileges.
Identify the Fail2ban configuration file jail:
Usually, the Fail2ban configuration file is located in the /etc/fail2ban/ directory with the name jail.conf. For best practices, it is recommended that instead of modifying jail.conf, you create a new file called jail.local. Any settings you provide in this file will override the configuration settings in the jail.conf file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localModify the configuration file
After copying the configuration file as jail.local, you need to modify this file. Open jail.local in any text editor to make modifications.
sudo vim /etc/fail2ban/jail.localHere, look for the [DEFAULT] section, and search for the following line:
#ignoreip = 127.0.0.1/8 ::1You need to uncomment or add this line and include the IP addresses that you want to whitelist.
ignoreip = 127.0.0.1/8 ::1 your_ip_addressHere, 'your_ip_address' represents the single or multiple IP addresses that you want to whitelist. You can add multiple IP addresses using spaces or use CIDR notation for a range of addresses.
In our case, we want to whitelist single IP address 206.189.186.84 and subnet range 192.168.1.0/24, So the line should be like as shown below:
ignoreip = 127.0.0.1/8 206.189.186.84 192.168.1.0/24Save and exit the editor.
Restart the Fail2ban service
After modifying the configuration file, you need to restart the Fail2ban service to apply the changes, To do so, execute the command below in the terminal:
sudo systemctl restart fail2banVerify the Whitelisted IPs
To check the jail list:
sudo fail2ban-client statusYou can verify your whitelisted IP addresses by running the below command:
sudo fail2ban-client status jail_nameYou can also check the Fail2ban log or try accessing the server using that IP address to confirm whether the IP address has been whitelisted or not.
Example:
Let’s manually ban an IP address 192.168.1.51, using the command below:
sudo fail2ban-client set sshd banip 192.168.1.51To verify the same, execute the following command:
sudo fail2ban-client status sshdOutput:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.51Here, you can see the 192.168.1.51 IP address is in the banned IP list.
Let’s whitelist 192.168.1.51 by modifying the jail.local file.
sudo vim /etc/fail2ban/jail.localAnd add 192.168.1.51 IP address to it.
ignoreip = 127.0.0.1/8 206.189.186.84 192.168.1.0/24 192.168.1.51Now, restart the fail2ban service to apply the changes we just made.
sudo systemctl restart fail2banNext, run the below command to verify whether the IP address is whitelisted or not.
sudo fail2ban-client status sshdOutput:
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| |- Total failed: 3
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:Here, You can see 192.168.1.51 got removed from the Banned IP list.
Conclusion
Whitelisting an address is very handy when your IP address gets blocked due to multiple login attempts or accidental. Using these features, you can allow users and services to access your server. For services like vsftpd, you can unblock users by whitelisting their IP addresses if they are banned by Fail2ban. Remember to only whitelist trusted IP addresses for your server's security.
Important note:
Currently, there is an issue with installing Fail2ban on the newer Ubuntu 24.04. We have tested this on Ubuntu 22.04.
Join our discord channel and discuss fai2ban or get direct help from the tech expert by clicking the button below