sudo apt install fail2banOn debian 11, also follow How to install fail2ban on debian 11+
We normally install those filters, with standard configurations:
nginx-botsearch(banning bots that blindly search for old software install)nginx-http-auth(banning bots making too much failed auth attempts)sshd(for ssh connections)proxmox_ui(for Proxmox web interface)
We can create a new jail to ban bots from using our web services.
In practice, we will use the nginx-botsearch filter on a fake log file, and add ips manually to the jail with a permanent bantime.
Enable fail2ban nginx-manual-ban jail with our specific configuration:
ln -s /opt/openfoodfacts-infrastructure/confs/common/fail2ban-nftables/jail.d/nginx-manual-ban.local /etc/fail2ban/jail.d/
systemctl restart fail2banNote: fail2ban (in recent version) is naturally persistent across reboot. For that it uses a sqlite database in /var/lib/fail2ban/.
Like git status, status command are always useful when playing with fail2ban. A quick look at the logs is also interesting.
fail2ban-client status # Allow to see all the jails currently running
fail2ban-client status sshd # Allow to status for a specific jail: banned addresses, etc.
tail -f /var/log/fail2ban.log # check last entries of fail2ban logssudo fail2ban-client status nginx-manual-bansudo fail2ban-client set nginx-manual-ban banip <IP>Note that it supports ip ranges, like 123.456.789.1/24
sudo fail2ban-client set nginx-manual-ban unbanip <IP>If ip is part of a range, the whole range must be unbanned.