How to configure fail2ban, and automatically report it to AbuseIPDB.

By Darren Nathanael on Wed, Jul 13, 2022 / Updated at Wed, Nov 15, 2023

What is AbuseIPDB?

AbuseIPDB provides a free API for reporting and checking IP addresses. Every day webmasters, system administrators, and other IT professionals use our API to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.

What is Fail2Ban?

Fail2ban is a tool to help you protect your public facing linux instances from brute-force attack and other automated attacks by monitoring the app logs for malicious activity.


Installing Fail2Ban

For Debian based system (Ubuntu & Such), you can install it with apt-get

1$ apt-get update
2$ apt-get install fail2ban

For RHEL based system (CentOS, Rocky, Alma), you need to install the EPEL repository first.

1$ sudo dnf install epel-release
2$ sudo dnf install fail2ban fail2ban-firewalld

Once the Installation is complete you can run the following command

1$ sudo systemctl status fail2ban

Fail2Ban should be enabled on your system. the output should look something like this:

 1root@mother:~# systemctl status fail2ban
 2● fail2ban.service - Fail2Ban Service
 3     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
 4     Active: active (running) since Tue 2022-07-12 16:50:44 EDT; 20h ago
 5       Docs: man:fail2ban(1)
 6    Process: 1037325 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 7   Main PID: 1037327 (fail2ban-server)
 8      Tasks: 5 (limit: 7062)
 9     Memory: 38.9M
10        CPU: 1min 24.068s
11     CGroup: /system.slice/fail2ban.service
12             └─1037327 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
14Jul 12 16:50:44 mother systemd[1]: Starting Fail2Ban Service...
15Jul 12 16:50:44 mother systemd[1]: Started Fail2Ban Service.
16Jul 12 16:50:45 mother fail2ban-server[1037327]: Server ready

AbuseIPDB configuration

Verify Fail2Ban AbuseIPDB module is Installed

The ability to report abusive IPs directly to AbuseIPDB was added to the master Fail2Ban repository in v0.10.0 (January 2017). If you have an older version of Fail2Ban installed on your server, you’ll either have to update Fail2Ban or install the abuseipdb.conf action file yourself. To check what version of Fail2Ban you have installed, run the following command: fail2ban-client -V

You can verify that your installation of Fail2Ban supports AbuseIPDB by checking that the action config file /etc/fail2ban/action.d/abuseipdb.conf exists. If it does not exist, you can add it manually by copying the latest config file from the Fail2Ban Github.

Create a .local file from the default jail.conf:

1$ cp /etc/fail2ban/jail.{conf,local}

Activate AbuseIPDB Reporting Action

You can invoke the AbuseIPDB action from some or all of the jails configured in jail.local. The action must be called with two parameters - your AbuseIPDB API key, and the abuse category (or categories) you would like to report the IP for. If these parameters are missing or invalid, your reports will fail.

%(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]

This line of code must be added to each jail for which you want to activate AbuseIPDB reporting.

Lets configure it, edit the jail.local with your favorite text editor

1$ nano /etc/fail2ban/jail.local

Find the [sshd] line then edit it so it look to something like this:

 2enabled = true
 4# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 5# normal (default), ddos, extra or aggressive (combines all).
 6# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 7#mode   = normal
 8port    = ssh
 9logpath = %(sshd_log)s
10backend = %(sshd_backend)s
12# Ban IP and report to AbuseIPDB for SSH Brute-Forcing
13action = %(action_)s
14         %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]

Make sure to change the my-api-key to your API key!

Here’s a table of some of the most popular AbuseIPDB report categories for customizing your reports:

FTP Brute-ForcePort ScanHackingBrute-ForceBad Web BotSSHWeb App Attack

Once you have updated your jail.local configuration, save the file and restart the Fail2Ban service to ensure your configuration is working:

fail2ban-client reload

If your configuration is correct, Fail2Ban should start running the AbuseIPDB action each time a new IP is banned. Log in and check your reported IPs page, and watch as Fail2Ban starts automatically reporting IPs to AbuseIPDB under your account!

Thats it! gtfo and enjoy your super secure server.