Whitelist your own computer in fail2ban

Fail2ban is a great "dynamic" firewall for servers that is installed by default on many of our VPSs, and we can install it on your VPSs at your request. It protects against brute-force attacks, where an attacker is trying to guess a password or exploit certain classes of vulnerabilities on servers.

One potential problem with fail2ban and similar tools is the false positive problem, that is, banning yourself from your own VPS, particularly if you don't always get your password right. In this post, I'll explain how to fix that problem using fail2ban's whitelist feature.

Using fail2ban whitelist with a static IP address

The whitelist feature is a bit easier to set up if your internet connection has a static IP address. How do you know if it does? Unfortunately, most connections don't have them. If yours does you probably already know what it is. If you are unsure, skip to the Dynamic IP section below, which actually works regardless of whether you have one.

If you know your static IP address, log in to your VPS and edit the file /etc/fail2ban/jail.local. If that file doesn't exist, you can edit /etc/fail2ban/jail.conf instead.

Look for a line that looks like:
ignoreip = 127.0.0.1/8
Add your ip address to the end of that line, with a space before it (all IP addresses on that line are separated by spaces).

Restart fail2ban with the following command:
service fail2ban restart

If you are not confident about setting that up on your server, put in a ticket at https://rimuhosting.com/ticket/startticket.jsp and we'll be happy to do that for you.

You are done! Fail2ban will never block you again.

Using fail2ban whitelist with a dynamic IP

If you have a dynamic IP, you can't use your IP address in the configuration, since that changes. Instead use a DNS name. Then the problem becomes using DNS to point to your IP, and making sure that changes when your IP changes.

Choose a DNS domain you have hosted at RimuHosting or zonomi.com. I'm going to use example.com as an example, but you need to use your own domain name. Think of a name for the computer you are working from (homepc, workpc, workstation, etc.) Put that together with your domain name to come up with your "fully qualified domain name", like e.g. workstation.example.com. This new name can't be the same as an existing website or email domain. If it is, choose a different name for your computer.  Put that in your VPS's jail.local or jail.conf file instead of an IP address, using the instructions above.  Your fail2ban jail configuration will end up with a line like:

ignoreip = 127.0.0.1/8 workstation.example.com

(but with workstation.example.com replaced with your own name)

Next, find your "API key" for your domain. You can find that at https://rimuhosting.com/dns/dyndns.jsp for RimuHosting, or at https://zonomi.com/app/dns/dyndns.jsp for zonomi.  It's a string of 32 random characters listed at the bottom of the DNS API Reference table, which you need in the next step.  I'm going to pretend my api key is 99999999999999999999999999999999.

Next, you load a program on your workstation that will actually update your IP address when it changes.  For a windows computer, you can use DDNS Updater.  (For a mac try IP Monitor, but setup is a little different for that.)

Now enter the following API link into the settings, under "IPv4 update URL".  For RimuHosting:

https://rimuhosting.com/dns/dyndns.jsp?action=SET&name=workstation.example.com&value=%IP%&type=A&api_key=99999999999999999999999999999999

For zonomi:

https://zonomi.com/app/dns/dyndns.jsp?action=SET&name=workstation.example.com&value=%IP%&type=A&api_key=99999999999999999999999999999999

Replace the bold items with your own values.

Save that, and you're good to go.  As long as DDNS updater is running on your computer, you will never get banned by fail2ban again.

Another way to deal with a dynamic IP address is to use a VPN.  VPNs can have other advantages such as securing all traffic to your VPS, but it's more complex to set up.  If you would like to explore the possibility of installing a VPN, or if you have other questions about using fail2ban on your VPS, don't hesitate to put in a support ticket.

This entry was posted in HOWTO, Rimuhosting, Security and tagged , , . Bookmark the permalink.

Leave a Reply