How to use fail2ban?

Apologies if this is a simple request. I have installed fail2ban and not quite sure how I should be setting it up. I would like to activate it for SSH and luci login. I have edited the jail.conf file in the following areas:


# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.

mode   = normal
port    = ssh
logpath = /var/log/auth.log


port     = ssh
logpath  = /var/log/auth.log

After resetting fail2ban, fail2ban-client status shows the number of jails as 0. I haven't made any changes to fail2ban.conf

Not quite sure how to proceed. Also, not certain if this is also covering luci login. Any help would be really appreciated!

that's not really a openwrt question, but fail2ban ....

however ...

enabled = true
mode = aggressive
maxretry = 2

Thanks for replying. I understand this is not the best place, but I thought that there may be specific configs for openwrt? Still now working by entering that. Do you have it set up yourself? What were the steps you took, if you don't mind me asking?

I have, but I use it on Fedora.

What doesn't work, banning, or won't the jail enable ?

The jail won't enable. Apart form what I mentioned, I haven't configured anything else.

Just installed it on openwrt.

it's (in my case) because the log file the ssh jail is supposed to read doesn't exist,
if I create an empty file (by touch), the jail will get enabled.

Thanks for that - I had to enable the log to be written to a file. Then created a jail.local file, and I have SSH protection by enabling the dropbear jail.

Is there a way to also protect against LUCI logins? It doesn't seem to support uhttpd, but I just want to check I'm not missing anything.

Thanks for the help.

Don't think so, but I don't run it on openwrt.

Check if lighttpd still is supported, could just replace the web server...

Another option is to write your own rules, for uhttpd, it's no rocket science.

Thanks. I'll look into that!

Could you be more specific, I'm trying to do the same thing?

Is the log named /var/log/dropbear?
Please share your jail.local.

If you read the whole thread, you'll notice it isn't.

Unsure where you assumed that I hadn't read the whole thread, the answer is to touch /var/log/auth.log.
Thanks I suppose..

1 Like

Then you'd have known the file name wasn't dropbear, and you're welcome.

Thank you. It solved the problem of not loading the jail for me. Thumb up.

2023-03-03 13:04:20,761 fail2ban                [17709]: ERROR   NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist

I have it working for dropbear (SSH)

I only needed the fail2ban package

You need it to be able to see a log file (would like to know if it can read from the logread socket)

uci set system.@system[0].log_file='/var/log/system.log'

Configure the jail:


action = nftables[type=multiport]

enabled = true
logpath = /var/log/system.log

And to setup the regexes for the current version of OpenWRT

failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
            ^[Ee]xit before auth from <<HOST>:\d+>:\s.*$

I added only the last regex to the default set in dropbear.conf

This then sets up a new table and blocks

$ nft list ruleset
table inet f2b-table {
	set addr-set-dropbear {
		type ipv4_addr
		elements = {, }

	chain f2b-chain {
		type filter hook input priority filter - 1; policy accept;
		tcp dport 22 ip saddr @addr-set-dropbear reject with icmp port-unreachable

I would also recommend setting up logrotate

/var/log/system.log {
        rotate 14
                /etc/init.d/log restart

/var/log/fail2ban.log {
        rotate 14
                /etc/init.d/fail2ban restart


For those that are doing this, I understand (sort of - see below) fail2ban for SSH, but for it to be relevant for Luci you have to be exposing your Luci interface to the outside world. This, especially if you have SSH set up right, should never be necessary.

As far as ssh goes, I also expose mine to the outside world, but only when all password logins are disabled. After that is done, I would suggest that trying to use fail2ban to ban the IPs where login attempts are coming from is about as useful as urinating into the wind. The number of zombie machine IP addresses these people have exceeds the netfilter table space in your device. You will just end up clogging your netfilter tables, wasting your device's ram, and reducing its performance for no actual gain in security.

1 Like

Is it necessary to choose nftables-multiport on 22.03 release?
I've set iptables-multiport on another jail and iptables-allports on dropbear at IP adresses gets banned.

I only have public key enabled, so I'm not too worried about access violations, but it is more just to reduce it.

I have set mine up also to use recidive and wrote another script to take all the dropbear and recidive ip addresses, get their prefixes and AS numbers, and I ban the prefix if there are two or more IP bans for a prefix, or all prefixes from an AS if there is more than 1 prefix for that AS.

I end up with more hits on the prefix block list than I do on the ip specific ones. That said, I am currently blocking 280 odd prefixes, this is the distribution:

  Count PrefixLen
      1 10
      3 11
      5 12
      2 13
      3 14
      2 15
      3 16
      3 17
     15 18
     12 19
    198 20
      3 21
      4 22
      5 23
     21 24