Suricata and fail2ban

In case you want to ban IP addresses based on Suricata fast.log, here is the filter you need:

before = common.conf

_daemon = suricata

datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S
failregex = <HOST>:[0-9]* ->
ignoreregex =

In the jail configuration, I suggest you change the default blocktype from REJECT to DROP.

Edit 2023-03-24: you may want to use the action iptables-ipset-proto6-allports which leverages ipset. It will make your iptables rules much more readable and according to some sources, faster. Just edit your jail.conf and replace the default banaction_allports entry with iptables-ipset-proto6-allports , or explicitly mention iptables-ipset-proto6-allports in the jail configuration of suricata, like so:

enabled = true
filter = suricata
logpath = /var/log/suricata/fast.log
findtime = 3h
action = iptables-ipset-proto6-allports

If you want to match input and forwarding traffic, you can have multiple actions. However, you need to name them differently like so:

enabled = true
filter = suricata
logpath = /var/log/suricata/fast.log
findtime = 3h
action = %(banaction_allports)s[actname="suricata_i", chain="INPUT"]
         %(banaction_allports)s[actname="suricata_f", chain="FORWARD"]

Edit 2023-03-24: initial text, I prefer using ipset to the following.

You should also create a custom action to apply to all protocols and ports:

before = iptables-common.conf

actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -j f2b-<name>

actionstop = <iptables> -D <chain> -j f2b-<name>
             <iptables> -X f2b-<name>

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>


You should now be all set to block all the IP addresses that Suricata finds.


This entry was posted in Computer, Linux, Networking, Security, Ubuntu. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.