Fail2Ban Setup Guide for Ubuntu Server

Block malicious IPs with /24 subnet banning for Apache2 web server.

1. Install Fail2Ban

sudo apt update
sudo apt install fail2ban -y

2. Create Custom Subnet Ban Action

Create a custom action that bans entire /24 subnets (256 IPs) instead of individual IPs:

sudo vim /etc/fail2ban/action.d/iptables-subnet.conf

Add the following content:

[Definition]
actionban = iptables -I INPUT -s <ip>/24 -j DROP
actionunban = iptables -D INPUT -s <ip>/24 -j DROP

3. Create Filters

3.1 Block /search Requests

Create a filter to catch spam bots hitting search endpoints:

sudo vim /etc/fail2ban/filter.d/apache-search.conf

Add the following content:

[Definition]
failregex = ^<HOST> .* "(GET|POST) /search\?.*"
ignoreregex =

3.2 Block PHP Requests

Create a filter to catch any request containing "php" in the URL:

sudo vim /etc/fail2ban/filter.d/apache-php.conf

Add the following content:

[Definition]
failregex = ^<HOST> .* "(GET|POST) .*php.*"
ignoreregex =

This filter will catch:

• /hello.php
• /wp-admin/something.php?id=1
• /phpMyAdmin/
• /something/php/test.html

4. Configure Jails

Create the jail configuration file:

sudo vim /etc/fail2ban/jail.local

Add the following content:

[apache-search]
enabled = true
port = http,https
filter = apache-search
logpath = /var/log/apache2/protonchat.access.log
backend = auto
maxretry = 1
findtime = 86400
bantime = 432000
banaction = iptables-subnet

[apache-php]
enabled = true
port = http,https
filter = apache-php
logpath = /var/log/apache2/protonchat.access.log
backend = auto
maxretry = 1
findtime = 86400
bantime = 432000
banaction = iptables-subnet

Configuration Parameters Explained

• maxretry = 1 — Ban on first offense
• findtime = 86400 — Time window of 24 hours (in seconds)
• bantime = 432000 — Ban duration of 5 days (in seconds: 5 × 24 × 60 × 60)
• banaction = iptables-subnet — Use our custom /24 subnet blocking

5. Start Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban

6. Verify Configuration

6.1 Check Jail Status

# List all jails
sudo fail2ban-client status

# Check specific jail
sudo fail2ban-client status apache-search
sudo fail2ban-client status apache-php

6.2 Test Regex Against Log File

sudo fail2ban-regex /var/log/apache2/protonchat.access.log /etc/fail2ban/filter.d/apache-search.conf
sudo fail2ban-regex /var/log/apache2/protonchat.access.log /etc/fail2ban/filter.d/apache-php.conf

6.3 Verify IPTables Rules

sudo iptables -L INPUT -n | grep "/24"

Expected output:

DROP       0    --  103.3.220.0/24       0.0.0.0/0           
DROP       0    --  102.89.75.0/24       0.0.0.0/0           
DROP       0    --  125.164.122.0/24     0.0.0.0/0

7. Useful Management Commands

7.1 View Banned IPs

# View all banned IPs for a jail
sudo fail2ban-client get apache-search banned

# View jail status with ban list
sudo fail2ban-client status apache-search

7.2 Unban IPs

# Unban a specific IP
sudo fail2ban-client set apache-search unbanip 1.2.3.4

# Unban all IPs from all jails
sudo fail2ban-client unban --all

7.3 Monitor Logs

# Watch fail2ban activity in real-time
sudo tail -f /var/log/fail2ban.log

8. File Locations Summary

1. Main config: /etc/fail2ban/jail.conf (do not edit)
2. Custom jails: /etc/fail2ban/jail.local
3. Filters: /etc/fail2ban/filter.d/
4. Actions: /etc/fail2ban/action.d/
5. Fail2ban log: /var/log/fail2ban.log