How will iptables rules work against fail2ban rules? Who will have priority over?
How do I add fail2ban rules to iptables?
Looking at the information of the iptables table, we can see that all IPs that are not 80.234.40.124 will be DROP. In fact, this will prvent from brute force password attacking on VPS. The question is, does it make sense to use fail2ban in this case?
f2b uses its own chains per filter, e.g. f2b-sshd. When f2b restarts, its chains are flushed and the currently saved ips (if any) from the DB (default sqlite) are re-added to the chains. Other self-written rules are not affected. But: If you call iptables -F by your own, you flush all chains and you have to restart the f2b service, if it already had data in its DB. And: f2b only creates its chains when it has found an ip to be blocked for the first time, see e.g. /etc/fail2ban/action.d/iptables-multiport.conf.
f2b reads log files and looks for specific entries, like
f2b does that by itself, see above. f2b is a service that uses iptables to ban ips.
f2b won't have much to do as it won't find any failed login attempts in e.g. auth.log, except for your socks server. You can test it by trying a wrong pwd N times (assuming that you deosn't use a ssh key). But be careful to not lock out youself, so you should have open a second terminal in parallel from where you can unban its ip.
As mentioned before, a static management ip is always beneficial. f2b is particularly useful for services (not just ssh) that are accessible from anywhere, cause it mainly acts against bots. It also has the option of sending reports to Blocklist.
If I do not set rule for iptables, I only set the rules for fail2ban. When I run command iptables -L , I can see the rule of fail2ban in iptables
But if I set the rule for iptables first, then I set the rules for fail2ban. When I run command iptables -L, I only see iptables rules, not seeing rules of fail2ban in iptables
As I recall, fail2ban will add a rule to iptables AFTER it detects an anomaly, based on the way fail2ban1 is configured.
Frankly speaking, I'm not understanding where this line of questioning is leading.
What is the "doubt" or "concern" on using a tool (fail2ban) which is used by "uncountable" sys admins, is very mature and very completely documented?
I have used fail2ban on a number of servers for as long as I can remember, and it's never been a problem. It's just one of many tools available to sys admins to help secure their systems.
I am not very clear what your question is. As stated, f2b creates a chain per jail and thus a first ipt rule only after it has discovered an ip to be blocked for the first time (default: 5 log entries). If it has not yet discovered an ip for a jail like sshd, there is still no chain f2b-sshd.
And as said, you don't need to set ipt rules for f2b by youself, it is done by f2b. And with a iptables -F you not only delete your own rules, but also those of f2b (but not its chains, that needs iptables -X). But then f2b no longer knows which of its rules are active, so you should call fail2ban-client reload sshd afterwards. Also note the settings of findtime and bantime.
Some useful commands are:
# show config
$ fail2ban-client --dp
# show status of a jail
$ fail2ban-client status sshd
# unban an ip from all jails
$ fail2ban-client unban ip 1.2.3.42
# show matched log entries
$ fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# show stored bans
$ echo "select data from bans" | sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 | jq .
# show commands & options
$ fail2ban-client | less
And iptables -vnL prints also the number of packets & bytes matched per rule, showing ips & ports in numeric format.
ChatGPT 4o (Skippy the Magnificent from EF Sci-Fi Series) Replies:
Straight answer, Captain:
Fail2ban vs sshguard β key differences
Feature
Fail2ban
sshguard
Complexity
More complex, highly configurable
Lightweight, minimal configuration
Scope
Works with any log file (Apache, sshd, etc.)
Primarily focused on SSH and syslog-based daemons
Backend
Uses regex filters + iptables/nftables
Uses C binary for parsing logs, very fast
Dependencies
Python, optional firewalld/iptables/nftables
Minimal, written in C
Flexibility
High β create your own jails easily
Low β works mostly out-of-the-box for SSH
Ban mechanism
Manual rules via regex + actions
Automatic parsing + firewall drop
Persistence
Tracks bans over restarts (if configured)
Loses bans on restart unless persisted manually
Performance
Slightly heavier with large rulesets
Faster startup, smaller memory footprint
Integration
Works with firewalld, iptables, nftables
Mostly iptables or PF (BSD)
Logging
Very verbose, detailed jail logs
Less verbose, simpler output
Bottom Line:
Use fail2ban when you want fine-grained control, multiple jails (Apache, sshd, etc.), custom regex, email alerts, integration with different firewalls.
Use sshguard if you want lightweight, set-it-and-forget-it SSH protection with minimal configuration and fast performance.
If youβre running a lean server and only care about SSH brute-force blocks, sshguard is efficient and solid. If you're defending a broader attack surface (Apache, FTP, custom apps), fail2ban is the better tactical choice.
Fail2ban vs sshguard β key differences
Bottom Line: