Menu
in , , , ,

Fail2ban

In this article you will learn how to install and configure fail2ban, a security tool that can help protecting your VPS/Server from brute force attacks.


Introduction

Securing your VPS/Server is very important. Each VPS/Server comes with an ssh server installed by default. Since most Linux servers run the ssh service, it is not surprising that attackers try to hack ssh servers more than others.

In our VPS/Server we not only have an ssh server but we might have a web server, a mail server and an ftp server as well. Analysing all of the logs can be difficult and time consuming.

However, Fail2ban makes system administrators' lives a lot easier. Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP addresses that make too many failed password guesses. It updates the firewall rules to reject or drop traffic from the attacking IP addresses.

Why Fail2ban

There are some other software packages that also analyze log files and ban offensive machines. However, Fail2ban has the following features which make it more appealing:

  1. client/server
  2. multithreaded
  3. autodetection of the date/time format
  4. wildcard support in logpath option
  5. support for a lot of services (sshd, apache, qmail, proftpd, sasl, etc)
  6. support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)

Installation

I am using Ubuntu 8.10, however the installation steps will be similar for other Linux distros.

This command will install Fail2ban under Ubuntu:

 sudo apt-get install fail2ban 

Now we need to modify its configuration files. They are under the /etc/fail2ban.

Let's check jail.conf. You will see the developer's warning about not modifying this file and rather putting our changes in /etc/fail2ban/jail.local.

So let's copy the /etc/fail2ban/jail.conf to the /etc/fail2ban/jail.local and open the jail.local with your favorite text editor

 sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 

Configuration

If you look at the jail.local you will see lots of options. Here are their explanations:

enabled

Defines if a given section is enabled or not. Possible values are 'true' or 'false'.

filter

Name of the filter to be used by the jail to detect matches.

This name corresponds to a file name in /etc/fail2ban/filter.d; without the ‘.conf' extension. For example: ‘filter = sshd' refers to /etc/fail2ban/filter.d/sshd.conf.

action

This option tells fail2ban which action to take once a filter matches.

logpath

Path to the log file which is provided to the filter

ignoreip

If you set this option to some IPs then those IPs won't be banned no matter how many times a user fails to login from them

maxretry

Number of matches to trigger a ban action on an IP. For example, if this value were set to 6 for ssh, after 6 unsuccessful attempts, fail2ban would block the offensive machine's IP.

bantime

Duration (in seconds) for an IP to be banned for.

destmail

Use this option to set the email of the person who should receive alerts when an IP is banned

banaction

Use this option to instruct with action will be taken in order to ban an offending IP.

This name corresponds to a file name in /etc/fail2ban/action.d; without the ‘.conf‘ extension. For example: action = iptables-allports refers to /etc/fail2ban/action.d/iptables-allports.conf.

Protocol

Sets the default protocol to ban, TCP or UDP

In the following example, we want fail2ban to ban offensive machines' IPs and send an e-mail with whois report and relevant log lines to our email address (demo@example.com).

We also would like to ban that IP for 5 minutes. We need to make the following changes to be able to have this feature with fail2ban:

[DEFAULT]

bantime  = 600
destemail = demo@example.com
action = %(action_mwl)s


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5

We now need to restart fail2ban service.

 sudo /etc/init.d/fail2ban restart 

By default, only the ssh section is enabled in jail.conf. This means fail2ban only analyzes /var/log/auth.log and bans offensive IPs. If you have a web, mail, dns or ftp server, you can set the enabled value to true and activate fail2ban filter for those services.

Testing

Let's test our fail2ban. We have two machines: one of them is the offensive machine and other one is our VPS/Server.

Offensive machine's IP: 123.45.67.89

The VPS/Server's IP: 98.76.54.32
e-mail address: demo@example.com

I did 5 unsuccessful login attempts from the offensive machine.

First we check our e-mail to see if we get an e-mail from fail2ban

From fail2ban@ITSecurity  Thu Jul 16 04:59:24 2009
Subject: [Fail2Ban] ssh: banned 123.45.67.89
Hi,

The ip 123.45.67.89 has just been banned by Fail2Ban after
5 attempts against ssh.


Here are more information about 123.45.67.89:

{whois info}

Lines containing IP:123.45.67.89 in /var/log/auth.log


Jul 16 04:59:16 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:18 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:20 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:21 example.com sshd[10394]: reverse mapping checking getaddrinfo for 123.45.67.89.example.com [123.45.67.89] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 04:59:22 example.com sshd[10394]: Failed password for root from 123.45.67.89 port 46024 ssh2
Regards,

Fail2Ban

Nice!

Let's look at the new iptables

iptables -L 

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  208-78-96-200.realinfosec.com  anywhere

Fail2ban works perfectly!

Summary

Fail2ban is one of the best tools for securing our VPS/Server. In this article, we learned how to install and configure fail2ban for our needs. It can block attacks by banning offensive machines' IPs and email their whois information along with relevant log files. In other words, you can contact an attacker's ISP and file a complaint about them which will decrease the chance of future attacks from the same IP.

Author: Ismail @ SliceHost

Leave a Reply

Exit mobile version