Admin

Fail2ban

How Opterius uses Fail2ban to protect against brute-force attacks on SSH and the panel login, and how to manage bans.

Last updated 1775606400

Fail2ban watches log files and bans IP addresses that produce too many failed authentication attempts. Opterius installs and configures Fail2ban automatically during setup and adds a custom jail for panel login protection alongside the standard SSH jail.

Configured jails

Jail Watches Max retries Ban duration
sshd /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL) 5 failures 1 hour
opterius-auth /opt/opterius/storage/logs/laravel.log 5 failures 1 hour

The opterius-auth jail parses Laravel's authentication failure log entries. When an IP reaches 5 failed panel login attempts within the find-time window, Fail2ban bans the IP at the firewall level using UFW or firewalld depending on the OS.

Viewing and managing bans in the panel

Server Mode → SecurityBlocked IPs.

The list shows currently banned IPs, the jail that triggered the ban, and when the ban expires. From this view you can:

  • Manually ban an IP — enter the IP and select a duration. Useful for proactive blocking.
  • Unban an IP — removes the ban immediately, regardless of remaining ban time.

Manual management via fail2ban-client

For cases where you need to manage bans directly from the shell:

# List all active jails
fail2ban-client status

# View banned IPs in a specific jail
fail2ban-client status sshd
fail2ban-client status opterius-auth

# Unban an IP from a jail
fail2ban-client set sshd unbanip 198.51.100.42
fail2ban-client set opterius-auth unbanip 198.51.100.42

# Manually ban an IP in a jail
fail2ban-client set sshd banip 198.51.100.42

# Reload jail configuration after editing
fail2ban-client reload

Checking Fail2ban status

systemctl status fail2ban
journalctl -u fail2ban -n 50

Reviewing the opterius-auth jail configuration

The jail config is written by the installer to /etc/fail2ban/jail.d/opterius-auth.conf:

[opterius-auth]
enabled  = true
port     = 8443
filter   = opterius-auth
logpath  = /opt/opterius/storage/logs/laravel.log
maxretry = 5
bantime  = 3600
findtime = 600

The filter file at /etc/fail2ban/filter.d/opterius-auth.conf matches Laravel's authentication failure log format. If you customise the log format, update the filter regex to match.

If you lock yourself out

If your own IP is banned (for example, after a failed password attempt while your connection was unstable):

  1. Log in via your VPS provider's web console.
  2. Unban your IP:
fail2ban-client set opterius-auth unbanip YOUR.IP.ADDRESS
fail2ban-client set sshd unbanip YOUR.IP.ADDRESS
  1. Re-enable SSH access if the firewall also blocked you:
# UFW
ufw delete deny from YOUR.IP.ADDRESS

# firewalld
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="YOUR.IP.ADDRESS" drop'
firewall-cmd --reload

[!TIP] To prevent accidental self-lockout, whitelist your own IP in Fail2ban's ignore list by adding it to ignoreip in /etc/fail2ban/jail.local. This ensures Fail2ban never bans that IP regardless of failed attempts.

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 YOUR.STATIC.IP.ADDRESS
Previous
← Firewall Management
Next
Per-Account Isolation →