In this article you will learn how to install and configure fail2ban, a security tool that can help protecting your VPS/Server from brute force attacks.
Introduction
Securing your VPS/Server is very important. Each VPS/Server comes with an ssh server installed by default. Since most Linux servers run the ssh service, it is not surprising that attackers try to hack ssh servers more than others.
In our VPS/Server we not only have an ssh server but we might have a web server, a mail server and an ftp server as well. Analysing all of the logs can be difficult and time consuming.
However, Fail2ban
makes system administrators' lives a lot easier. Fail2ban
scans log files like /var/log/pwdfail
or /var/log/apache/error_log
and bans IP addresses that make too many failed password guesses. It updates the firewall rules
to reject
or drop
traffic from the attacking IP addresses.
Why Fail2ban
There are some other software packages that also analyze log files and ban offensive machines. However, Fail2ban
has the following features which make it more appealing:
- client/server
- multithreaded
- autodetection of the date/time format
- wildcard support in logpath option
- support for a lot of services (sshd, apache, qmail, proftpd, sasl, etc)
- support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)
Installation
I am using Ubuntu 8.10, however the installation steps will be similar for other Linux distros.
This command will install Fail2ban
under Ubuntu:
sudo apt-get install fail2ban
Now we need to modify its configuration files. They are under the /etc/fail2ban
.
Let's check jail.conf
. You will see the developer's warning about not modifying this file and rather putting our changes in /etc/fail2ban/jail.local
.
So let's copy the /etc/fail2ban/jail.conf
to the /etc/fail2ban/jail.local
and open the jail.local with your favorite text editor
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Configuration
If you look at the jail.local you will see lots of options. Here are their explanations:
enabled
Defines if a given section is enabled or not. Possible values are 'true'
or 'false'
.
filter
Name of the filter to be used by the jail to detect matches.
This name corresponds to a file name in /etc/fail2ban/filter.d
; without the ‘.conf' extension. For example: ‘filter = sshd' refers to /etc/fail2ban/filter.d/sshd.conf
.
action
This option tells fail2ban which action to take once a filter matches.
logpath
Path to the log file which is provided to the filter
ignoreip
If you set this option to some IPs then those IPs won't be banned no matter how many times a user fails to login from them
maxretry
Number of matches to trigger a ban action on an IP. For example, if this value were set to 6 for ssh, after 6 unsuccessful attempts, fail2ban would block the offensive machine's IP.
bantime
Duration (in seconds) for an IP to be banned for.
destmail
Use this option to set the email of the person who should receive alerts when an IP is banned
banaction
Use this option to instruct with action will be taken in order to ban an offending IP.
This name corresponds to a file name in /etc/fail2ban/action.d
; without the ‘.conf‘ extension. For example: action = iptables-allports
refers to /etc/fail2ban/action.d/iptables-allports.conf
.
Protocol
Sets the default protocol to ban, TCP or UDP
In the following example, we want fail2ban to ban offensive machines' IPs and send an e-mail with whois report and relevant log lines to our email address (demo@example.com).
We also would like to ban that IP for 5 minutes. We need to make the following changes to be able to have this feature with fail2ban:
[DEFAULT] bantime = 600 destemail = demo@example.com action = %(action_mwl)s [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5
We now need to restart fail2ban service.
sudo /etc/init.d/fail2ban restart
By default, only the ssh section is enabled in jail.conf
. This means fail2ban only analyzes /var/log/auth.log
and bans offensive IPs. If you have a web, mail, dns or ftp server, you can set the enabled value to true and activate fail2ban filter for those services.
Testing
Let's test our fail2ban. We have two machines: one of them is the offensive machine and other one is our VPS/Server.
Offensive machine's IP: 123.45.67.89
The VPS/Server's IP: 98.76.54.32
e-mail address: demo@example.com
I did 5 unsuccessful login attempts from the offensive machine.
First we check our e-mail to see if we get an e-mail from fail2ban
From fail2ban@ITSecurity Thu Jul 16 04:59:24 2009 Subject: [Fail2Ban] ssh: banned 123.45.67.89 Hi, The ip 123.45.67.89 has just been banned by Fail2Ban after 5 attempts against ssh. Here are more information about 123.45.67.89: {whois info} Lines containing IP:123.45.67.89 in /var/log/auth.log Jul 16 04:59:16 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:18 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:20 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:21 example.com sshd[10394]: reverse mapping checking getaddrinfo for 123.45.67.89.example.com [123.45.67.89] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 04:59:22 example.com sshd[10394]: Failed password for root from 123.45.67.89 port 46024 ssh2 Regards, Fail2Ban
Nice!
Let's look at the new iptables
iptables -L Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 208-78-96-200.realinfosec.com anywhere
Fail2ban works perfectly!
Summary
Fail2ban is one of the best tools for securing our VPS/Server. In this article, we learned how to install and configure fail2ban for our needs. It can block attacks by banning offensive machines' IPs and email their whois information along with relevant log files. In other words, you can contact an attacker's ISP and file a complaint about them which will decrease the chance of future attacks from the same IP.
Author: Ismail @ SliceHost