How do I tell if my brute force protection (fail2ban) is running?

Question

I'm not sure if my fail2ban is running. How can I tell if it's currently running?

Also, how do I tell if it is even running on startup?

Answer 1

I would use fail2ban's client for the check because it not only tells you if the server is running but also which jails are enabled which is equally important information because if a particular jail is not enabled, fail2ban does not monitor and perform bans on it.

To check the service:

$ sudo fail2ban-client status

Answer 2

You should see information in /var/log/fail2ban.log if fail2ban has been started. You'll also see output related to fail2ban activity.

To see whether the process is currently running, use pgrep or ps :

$ pgrep fail2ban -fl
11189 fail2ban-server

<impressive_space_tag>

$ ps -efww | egrep fail2ban 
root 11189 2662  0 16:29 ? 00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

If you installed fail2ban via the package manager or software center, you should see entries in the /etc/rc* directories for fail2ban, which indicate (on default settings and without customization) that it will run on startup.

$ find /etc/rc* | grep fail2
/etc/rc0.d/K99fail2ban
/etc/rc1.d/K99fail2ban
/etc/rc2.d/S99fail2ban
/etc/rc3.d/S99fail2ban
/etc/rc4.d/S99fail2ban
/etc/rc5.d/S99fail2ban
/etc/rc6.d/K99fail2ban

Answer 3

You can use:

[romano@pern:~] % ps augx | grep fail2ban 
root      1374  0.0  0.2 265592  9956 ?        Sl   jul29   0:12 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

If you set up correctly a mail address where to send info, you'll receive a mail at startup and shutdown of the system, and one mail for any action (banning an ip, etc.)

There is interesting info in this blog.