How to ban visitors from a specific country by geolocation in Fail2ban

In this article, will show how to ban visitors from a specific country using Fail2ban and geoip. It is assumed that Fail2ban is already installed and configured in your server.

Lets install first the geoip:

  
yum install geoip
  

Create Fail2ban action script:

  
vi /etc/fail2ban/action.d/geohostsdeny.conf
  

Copy the following script:

  
[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights. 
#          Excludes PH|Philippines from banning.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = IP=<ip> &&
            geoiplookup $IP | egrep "<country_list>" || 
            (printf %%b "<daemon_list>: $IP\n" >> <file>)

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>

[Init]

# Option:  country_list
# Notes.:  List of banned countries separated by pipe "|"
# Values:  STR  Default:  
#
country_list = PH|Philippines

# Option:  file
# Notes.:  hosts.deny file path.
# Values:  STR  Default:  /etc/hosts.deny
#
file = /etc/hosts.deny

# Option:  daemon_list
# Notes:   The list of services that this action will deny. See the man page
#          for hosts.deny/hosts_access. Default is all services.
# Values:  STR  Default: ALL
daemon_list = ALL
  

The script above will ban the visitors from Philippines which defined in "country_list".

To enable our action script in Fail2Ban:

  
vi /etc/fail2ban/jail.local
  

... and add the following line in your jail.local file:

  
banaction = geohostsdeny
  

Restart Fail2Ban:

  
systemctl restart fail2ban
  

For the opposite (which is to exempt), please check the article here.

Comments

Hi, thanks for sharing this info, may you tell me what kind of script is that used in action ? looks like bash, theres no much info about scripting fail2ban in internet.

thanks

You say "the script above will ban the visitors from Philippines" . do you not mean, "the script above will not ban the visitors from Philippines"

Could you advise which one...

This only works as soon as one of my active jails is triggered, or am I doing something wrong?

Do I have to setup a jail that will do it, and how?

Both scripts are the same and what concerns me is when I add a country following your instructions my traffic graph increase. When I remover the countries I want to ban then it goes back down?

banaction = geohostsdeny in jail.local

should say actionban = geohostsdeny

When I changed this in jail.local the country ban worked.

It is "banaction" that works for me. Anyway, if "actionban" that worked for you then use "actionban" instead of "banaction". Please do some testing like checking your hosts.deny file if the country of IP addresses listed there are in your ban list.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.