Fail2Ban

LogZilla App Store application: Fail2Ban

Overview

Fail2ban is an intrusion prevention framework that protects servers from brute-force attacks. It monitors log files for failed authentication attempts and automatically bans offending IP addresses by updating firewall rules. Fail2ban supports SSH, Apache, Nginx, Postfix, and many other services.

App Function

  • Parse Fail2ban syslog messages for ban/unban and detection events
  • Extract banned IP addresses, jail names, and action types
  • Categorize events (ban, unban, found, already_banned)
  • Provide dashboards for monitoring intrusion prevention activity
  • Alert on new bans and repeat offenders

Vendor Documentation

Device Configuration

Fail2ban logs to syslog by default. Configure syslog-ng to forward logs to LogZilla:

  1. Edit /etc/syslog-ng/syslog-ng.conf

  2. Add a destination and log statement:

    text
    destination d_logzilla { udp("logzilla-server" port(514)); };
log { source(s_src); destination(d_logzilla); };

  3. Restart syslog-ng:

    bash
    systemctl restart syslog-ng

rsyslog Alternative

For systems using rsyslog, add to /etc/rsyslog.d/logzilla.conf:

text
*.*    @logzilla-server:514

Verification

Trigger a ban (e.g., failed SSH attempts) and verify events appear in LogZilla with program name Fail2ban.

Incoming Log Format

text
<date>,<ms> fail2ban.<class> <level> [<jail>] <action> <ip>
  • date - Timestamp of the log entry
  • class - Fail2ban component (actions, filter, server, jail)
  • level - Log level (NOTICE, INFO, WARNING, ERROR)
  • jail - Jail name (sshd, apache-auth, etc.)
  • action - Action taken (Ban, Unban, Found)
  • ip - IP address being acted upon

Parsed Metadata Fields

Tag NameExampleDescription
VendorFail2banVendor name
ProductIntrusion PreventionProduct name
Event ClasssecurityCross-vendor classification (security or system)
MitreIdT1110MITRE ATT&CK technique ID (security events)
MITRE TacticCredential AccessMITRE ATT&CK tactic
Fail2ban ClassactionsFail2ban component (actions, filter, server)
Fail2ban JailsshdJail name (sshd, apache-auth, etc.)
Fail2ban ActionbanAction taken (ban, unban, found, already_banned)
SrcIP192.168.1.100Source IP address being banned/unbanned

Log Examples

Ban Event

text
2023-05-01 12:34:56,789 fail2ban.actions NOTICE [sshd] Ban 192.168.1.100

Unban Event

text
2023-05-01 12:45:00,123 fail2ban.actions NOTICE [sshd] Unban 192.168.1.100

Detection Event

text
2023-05-01 12:30:00,456 fail2ban.filter INFO [sshd]
Found 10.0.0.50 - 3 time(s)

Already Banned

text
2023-05-01 12:35:00,789 fail2ban.actions NOTICE [apache-auth]
iptables-multiport already banned 172.16.0.25

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
BanT1110Credential Access
FoundT1110Credential Access
Already BannedT1110Credential Access

All security events indicate brute force attack detection (T1110). Unban events are administrative actions and do not receive MITRE mapping.

Dashboards

DashboardDescription
Fail2ban: OverviewBans, unbans, detections, repeat offenders, top banned IPs

Triggers

TriggerDescription
Fail2ban: MITRE ATT&CK Threat DetectedEvents with MITRE technique mapping (T1110)
Fail2ban: IP bannedIP address banned
Fail2ban: Repeated ban attemptsIP already banned (persistent attacker)
Fail2Ban | LogZilla Documentation