How to upgrade Fail2Ban to support IPv6

Fail2Ban, the, as we Germans say, eggs laying, whool making, milk producing, female pig

Fail2Ban is one of the tools every web master has to have running on it’s machines to sort out the bad apples from the good one. Fail2Ban reads the servers log files and looks for certain login attempt patterns.

The downside was no support for IPv6

While it was taking very good care of login attempts from IPv4 addresses, every server accessible from a IPv6 was not secured by it. Luckily, this has been changed. In August this year, Fail2Ban released version 0.10.0 and added IPv6 support the very first time. Just some few days ago, on Thursday 12th 2017, version 0.10.1 was released and brought some more optimizations. Check out the change log on Github.

Well, since Fail2Ban has support for IPv6 and many servers running on Ubuntu or Debian, still having the old 0.9x version in their repositories, there is a large demand for admins to get Fail2Ban updated right away.

How to update Fail2Ban on Ubuntu / Debian

To update Fail2Ban you can simply run this commands. To make sure there is no conflict, we will first uninstall the current version, installed via Ubuntu / Debian repositories and autoremove python3-pyinotify to make sure there will not be a conflict afterwards. Then we will install python3-pyinotify again.

apt remove fail2ban -y && apt autoremove -y
apt install python3-pyinotify

In the next step we will download Fail2Ban from Github, unpack it, push it to /etc/ and install it with:

cd /tmp/
tar xvf 0.10.1.tar.gz
mv fail2ban-0.10.1/* /etc/fail2ban/
cd /etc/fail2ban/
python install

By now Fail2Ban is not yet running. And I am sure you want to have it auto start after a reboot. Therefore run the following commands:

cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
systemctl unmask fail2ban
service fail2ban start

Make a short check with:

fail2ban-client -h

and you should get the following output:

Usage: fail2ban-client [OPTIONS] 

Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

And that’s it. From now on you have the latest version of Fail2Ban on your server running which also brings support for IPv6.

Please take one or two moments to read the release logs for version 0.10.0. Fail2Ban has changed a lot of things and it could be possible, that some of your older filters will not work anymore and you will have to update them.

2 Replies to “How to upgrade Fail2Ban to support IPv6”

  • Many thanks for this guide. I did not realise/remember that this was a python utility, and thus by using “apt remove” I would not have to worry about update/upgrade messing with the manual install of send2fail.

Leave a Reply

Your email address will not be published. Required fields are marked *