fail2ban integration CyberPanel v 2.4.3

1. **How to Install and Configure Fail2Ban on CyberPanel (AlmaLinux 8.10, CyberPanel 2.4.3)**
2.  
3. ---
4.  
5. ### ✅ Step 1: Install Fail2Ban
6.  
7. ```bash
8. dnf install epel-release -y
9. dnf install fail2ban -y
10. ```
11.  
12. ### ✅ Step 2: Enable and Start firewalld (Required for Banning)
13.  
14. ```bash
15. systemctl enable firewalld --now
16. firewall-cmd --state  # confirms firewalld is active
17. ```
18.  
19. ### ✅ Step 3: Enable and Start Fail2Ban
20.  
21. ```bash
22. systemctl enable fail2ban --now
23. ```
24.  
25. ### ✅ Step 4: Create `jail.local` for SSHD
26.  
27. Edit or create the jail configuration file:
28.  
29. ```bash
30. nano /etc/fail2ban/jail.local
31. ```
32.  
33. Paste the following:
34.  
35. ```ini
36. [DEFAULT]
37. banaction = firewallcmd-rich-rules
38. backend = systemd
39. ignoreip = 127.0.0.1/8 ::1
40. findtime = 600
41. bantime = 3600
42. maxretry = 5
43.  
44. [sshd]
45. enabled = true
46. port = ssh
47. filter = sshd
48. logpath = /var/log/secure
49. maxretry = 3
50. bantime = 600
51. findtime = 600
52. ```
53.  
54. Save with `CTRL+X`, then `Y`, then `Enter`.
55.  
56. ### ✅ Step 5: Test the Configuration
57.  
58. Check the status of Fail2Ban:
59.  
60. ```bash
61. systemctl status fail2ban
62. ```
63.  
64. List enabled jails:
65.  
66. ```bash
67. fail2ban-client status
68. ```
69.  
70. Check SSHD jail details:
71.  
72. ```bash
73. fail2ban-client status sshd
74. ```
75.  
76. ### ✅ Step 6: Test Banning Manually
77.  
78. ```bash
79. fail2ban-client set sshd banip 1.2.3.4
80. firewall-cmd --list-rich-rules
81. ```
82.  
83. ---
84.  
85. ### 🚨 Extra Tips: CyberPanel Integration
86.  
87. CyberPanel shows SSH attack logs visually, but you must rely on Fail2Ban to ban the IPs.
88.  
89. Verify the following:
90.  
91. * `/var/log/secure` contains SSH logs.
92. * SSHD filter works:
93.  
94. ```bash
95. fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
96. ```
97.  
98. ---
99.  
100. ## ✅ Import Previously Blocked IPs from CyberPanel Firewall to Fail2Ban
101.  
102. ### Create the Import Script
103.  
104. ```bash
105. nano /root/import-banned-ips.sh
106. ```
107.  
108. Paste this:
109.  
110. ```bash
111. #!/bin/bash
112.  
113. JAIL="sshd"
114.  
115. IPS=(
116. 125.91.106.241
117. 92.118.39.87
118. 116.103.227.168
119. 92.118.39.62
120. 89.110.87.132
121. 220.80.197.180
122. 86.54.25.130
123. 80.94.95.112
124. 80.94.95.15
125. 123.58.213.127
126. 213.139.72.208
127. 20.54.64.50
128. 36.108.171.28
129. 202.39.251.216
130. 116.193.190.8
131. 114.96.87.140
132. 118.122.147.195
133. 154.83.15.132
134. 220.205.122.62
135. 203.66.14.161
136. 103.215.80.141
137. 147.50.227.79
138. 35.210.61.208
139. 61.188.205.76
140. 101.47.72.59
141. 150.241.246.148
142. 92.55.83.15
143. 98.66.154.229
144. 193.151.149.140
145. 43.139.232.36
146. 62.210.97.97
147. 78.159.98.70
148. 209.38.23.83
149. 181.2.151.236
150. 211.219.22.213
151. 103.48.84.147
152. 177.220.176.63
153. 122.156.167.62
154. 107.148.176.145
155. 191.220.115.223
156. 193.32.162.157
157. 144.48.240.124
158. 116.98.175.44
159. 116.105.214.33
160. 43.156.115.5
161. 14.225.220.107
162. 92.205.21.23
163. 120.48.162.75
164. 45.148.10.240
165. 50.84.211.204
166. 120.28.197.159
167. 172.245.11.43
168. 69.49.247.178
169. 103.82.240.194
170. 221.229.218.50
171. 207.167.66.226
172. 218.51.148.194
173. 14.103.161.184
174. 103.59.94.155
175. 45.116.77.25
176. 103.215.81.209
177. 92.118.39.92
178. 185.93.89.118
179. 192.227.247.40
180. 27.119.7.6
181. 103.189.235.176
182. 158.51.124.56
183. 41.58.186.130
184. 147.50.103.212
185. 14.103.243.87
186. 124.44.117.106
187. 103.56.115.23
188. 190.111.211.81
189. 202.157.176.210
190. 64.235.33.145
191. 4.154.223.182
192. 195.178.110.125
193. 111.180.199.183
194. 185.155.62.232
195. 14.103.118.106
196. 45.159.221.129
197. 101.89.182.189
198. 186.96.166.237
199. 14.63.196.175
200. 111.173.104.178
201. 14.103.90.30
202. 92.118.39.71
203. 124.164.237.56
204. 103.120.227.88
205. 119.246.15.94
206. 119.28.86.241
207. 14.103.170.169
208. 47.81.8.111
209. 139.150.83.88
210. 27.254.235.13
211. 172.208.24.217
212. 39.109.104.252
213. 1.202.223.2
214. 103.187.147.35
215. 123.253.162.254
216. )
217.  
218. for ip in "${IPS[@]}"; do
219.     echo "banning $ip in jail $JAIL"
220.     fail2ban-client set "$JAIL" banip "$ip"
221. done
222. ```
223.  
224. Make it executable:
225.  
226. ```bash
227. chmod +x /root/import-banned-ips.sh
228. ```
229.  
230. Run it:
231.  
232. ```bash
233. /root/import-banned-ips.sh
234. ```
235.  
236. ### ✅ Verify Bans Were Imported
237.  
238. ```bash
239. fail2ban-client status sshd
240. ```
241.  
242. You should see something like:
243.  
244. ```
245. |- Currently banned: 92
246. `- Banned IP list: 125.91.106.241 92.118.39.87 ...
247. ```
248.  
249. ### ♻ Optional: Clean Up Old Manual Rules from firewalld
250.  
251. ```bash
252. for ip in "${IPS[@]}"; do
253.     firewall-cmd --permanent --remove-rich-rule="rule family=ipv4 source address=$ip drop"
254. done
255. firewall-cmd --reload
256. ```
257.  
258. ---
259.  
260. ## ✅ Final Checklist: Ensure Auto-Banning is Working
261.  
262. 1. **Fail2Ban is Running**
263.  
264. ```bash
265. systemctl status fail2ban
266. ```
267.  
268. Should say `active (running)`.
269.  
270. 2. **SSHD Jail is Enabled**
271.  
272. ```bash
273. fail2ban-client status
274. ```
275.  
276. You should see `sshd` listed.
277.  
278. 3. **Correct Log Path**
279.    Make sure you're using:
280.  
281. ```ini
282. logpath = /var/log/secure
283. ```
284.  
285. 4. **Valid Ban Action**
286.  
287. ```ini
288. banaction = firewallcmd-rich-rules
289. ```
290.  
291. Or:
292.  
293. ```ini
294. banaction = firewallcmd-ipset
295. ```
296.  
297. 5. **Filter Is Matching**
298.   Run:
299.  
300. ```bash
301. fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
302. ```
303.  
304. This should show matched log lines.
305.  
306. Once all of the above is set, new attackers are automatically detected and banned by Fail2Ban with no manual work required!
307.