Add system service fail2ban
Closed, InvalidPublicFEATURE REQUEST


Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Just install fail2ban debian package and provide configuration node.

Usefull for cloud based VyOS instances.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
This request is:
Service Request
c-po created this task.Sep 2 2017, 5:22 PM
c-po updated the task description. (Show Details)
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po moved this task from Need Triage to In Progress on the VyOS 1.2.x board.Sep 3 2017, 9:51 AM
c-po closed this task as Resolved.Sep 3 2017, 10:04 AM
c-po triaged this task as Normal priority.
c-po reopened this task as In progress.
c-po assigned this task to syncer.Sep 7 2017, 12:21 PM
syncer reassigned this task from syncer to UnicronNL.Sep 7 2017, 12:24 PM

Kim, can you merge this into current

What to so with this task, requests were closed.

c-po added a comment.Nov 18 2017, 8:06 AM

Closed b/c I wanted to rewrite it using vyos-1x command package.

c-po closed this task as Invalid.Feb 8 2018, 8:05 PM

Proper firewalling will be better...

straight firewalling won't help if the logon attempts still come from a presumably trusted LAN. I like the idea of at least a temporary lockout to prevent mass attempts when someone is running a big password list, though the utility of this naturally drops if VyOS can be fingerprinted before the attempt and the instance runs with a default password, but that's a sysadmin problem.