Fail2ban secures your router to some external hackers, by watching for logged failed attempts & banning source IP addresses temporarily.

Created using info from:

# Install default python (2.5 at the moment)
ipkg install python

# Our wget cannot cope with HTTPS, so use python to directly download the latest release as of Sept 2013
cd /opt/share
python -c "import urllib;urllib.urlretrieve ('', 'fail2ban-0.8.10.tar.gz')"

# Unpack and move to intended destination without using fail2ban's - we're too non-standard an environemt
tar xvzf fail2ban-0.8.10.tar.gz
mv fail2ban-0.8.10 fail2ban
cd fail2ban

# Fixup all those references to /usr/bin/python
sed -i 's/\/usr\//\/opt\//' fail2ban-*

# Add a suitable bit of dropbear-watching to the system
cat >> config/jail.conf <<EOF
enabled = true
filter = dropbear
action = iptables[name=dropbear, port=2222, protocol=tcp]
logpath = /tmp/syslog.log
maxretry = 8

# Try running it
mkdir /var/run/fail2ban
./fail2ban-client -x -v -c config/ start

# You can later monitor status with:
/opt/share/fail2ban/fail2ban-client -x -v -c /opt/share/fail2ban/config/ status
tail -f /var/log/fail2ban.log

So far this works to ban dropbear's port 2222 (only) if it detects several failed log-ins. I've upped the maxretry to 8 to allow one complete manual attempt at ssh'ing to bail-out without banning straight away.

E.g. try a bad password from another PC with:

ssh -o PubkeyAuthentication=no
ssh -p 2222


  • Service script to start at startup
  • Look into behaviour of fail2ban when you clear the admin log via the web admin GUI (which deletes the /tmp/syslog.log file - annoying fail2ban)
  • See if fail2ban could monitor anything else:
    • OpenVPN seems quite grown up by itself already
    • Failed logins to the web admin GUI don't put anything into the syslog (grrr - bad boy ASUS!)
    • Look into samba logs
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License