Introduction

In this article you will learn how to install and configure fail2ban, a security tool that defends against brute force attacks.

Before any attackers can compromise a system they have to find a way in. They might take a brute force approach, trying to get in through your ssh server by guessing at a username and password. Or they could test a web server, or mail server, or database server, or other application for a vulnerability they can exploit.

Those repeated efforts leave a trail in the log files of the services those would-be intruders probe. Analyzing all of those logs can be difficult and time-consuming, and you can't be watching them every minute of every day.

Fortunately fail2ban can make your life a lot easier. Fail2ban scans log files like /var/log/secure or /var/log/apache/error_log and bans IP addresses that make too many failed login attempts or bad server requests. It works by updating the firewall rules to reject or drop traffic from attacking IP addresses.

Why fail2ban

There are other software packages that also analyze log files and ban offensive machines. However, fail2ban has several appealing features.

• client/server
• multithreaded
• autodetection of the date/time format
• wildcard support in the logpath option
• support for a variety of services (sshd, apache, qmail, proftpd, sasl, etc.)
• support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc.)

In short, fail2ban is versatile and easy to set up.

Installation

You can install fail2ban through the package manager for most distributions.

This command will install fail2ban under Ubuntu or Debian:

 sudo aptitude install fail2ban

On Red Hat-based systems like CentOS or Fedora you'll use yum:

sudo yum install fail2ban

Once fail2ban is installed we need to modify its configuration files. They are in the directory /etc/fail2ban.

If you look in jail.conf you will see a developer's warning about not modifying that file, advising you to put any changes in a file named jail.local. With that in mind, let's copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local.

 sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now you can set up that jail.local config file for your environment by enabling and modifying existing blocks or adding new ones for other services.

Defaults

By default only the ssh section is enabled in fail2ban's jail.conf. That means fail2ban only analyzes the ssh connection log for failed logins.

To monitor another service, like a web, mail, dns or ftp server, you can set the appropriate config block'senabledvalue totrueto activate the fail2ban filter for that service.

You can modify much of the default behavior of fail2ban in the first config block, the one labeled[Default]. You can override a default setting by giving it a different value inside a service's config block.

To make any changes take effect you'll need to restart the fail2ban service. On most systems the command is:

sudo service fail2ban restart

Watching ssh

Let's look at directives that tell fail2ban to watch the ssh connection log and set a 5-minute ban on the IP addresses of machines that fail too many login attempts. When this happens it will send an email containing the whois information of the offending machine.

Note: If you don't have a mail server on your machine fail2ban cannot send emails. You can set up a mail server on your machine to send mail directly or relay it through a service like Mailgun.

We can configure ssh monitoring with a very short jail.conf file:

[DEFAULT]
 
bantime  = 600
findtime = 600
 
[ssh-iptables]
 
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=demo@example.com]
logpath  = /var/log/secure
maxretry = 5

We'll look at the meaning of all the directives shortly. The above configuration would tell fail2ban to watch /var/log/secure for ssh login attempts (on Ubuntu/Debian the log to watch would be /var/log/auth.log). If a machine logs more than 5 attempts in a 5-minute period it will be banned for 5 minutes, and fail2ban will send an email to demo@example.com.

Testing

Let's test fail2ban to make sure it behaves the way we want it to. We'll do that by failing a few ssh logins.

We'll use two machines: The server we want to protect and another machine to act as the attacker.

• Attacking machine's IP: 123.45.67.89
• The server's IP: 98.76.54.32

To run the test, simply get on the attacking machine and try to ssh to your server five times. For example:

ssh fakeuser@98.76.54.32

With the sixth try (assuming you have ssh's maxretry set to 5) your connection should time out if you try to ssh in again.

If you have fail2ban set to send you email check to see if you got a message like this one:

From fail2ban@ITSecurity  Thu Jul 16 04:59:24 2009
Subject: [Fail2Ban] ssh: banned 123.45.67.89
Hi,
 
The ip 123.45.67.89 has just been banned by Fail2Ban after
5 attempts against ssh.
 
Here are more information about 123.45.67.89:
 
{whois info}
 
Lines containing IP:123.45.67.89 in /var/log/auth.log
 
Jul 16 04:59:16 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:18 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:20 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2
Jul 16 04:59:21 example.comsshd[10394]: reverse mapping checking getaddrinfo for 123.45.67.89.example.com [123.45.67.89] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 04:59:22 example.com sshd[10394]: Failed password for root from 123.45.67.89 port 46024 ssh2
Regards,
 
Fail2Ban

Nice!

Let's look at the new iptables entry:

iptables -L 
 
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  208-78-96-200.realinfosec.com  anywhere

Fail2ban works!

Configuration

There are a lot of options in the jail.local file. Here are brief descriptions for some of them.

bantime

Duration (in seconds) of a ban for an IP address.

banaction

Use this option to describe how fail2ban will ban an offending IP address. This name corresponds to a file name in '/etc/fail2ban/action.d' without the '.conf' extension. For example: 'action = iptables-allports' refers to '/etc/fail2ban/action.d/iptables-allports.conf'.

ignoreip

If you set this option to an IP address (usually localhost, 127.0.0.1), it won't be banned no matter how many times a user fails to login from it.

action

This option tells fail2ban which action to take when a filter finds a match.

destmail

Use this option to set the email of the person who should receive alerts when an IP address is banned.

protocol

Sets the default protocol to monitor, TCP or UDP.

filter

Name of a filter to be used by the jail to detect matches.

This name corresponds to a file name in '/etc/fail2ban/filter.d'; without the '.conf' extension. For example: 'filter = sshd' refers to '/etc/fail2ban/filter.d/sshd.conf'.

enabled

Defines whether or not a given section is enabled. Possible values are true or false.

logpath

Path to the log file a filter will monitor.

port

The port a service is listening to. If you have ssh running on a non-standard port, set this value in the service's config block.

maxretry

Number of matches to trigger a ban action on an IP address. If this value were set to 6, after 6 filter triggers (like failed logins for ssh) fail2ban should block the offending machine's IP address.

Summary

Fail2ban is an extremely useful tool for securing a server. It can block attacks by banning offensive machines' IP addresses then email you their whois information and relevant log files. That means you can contact an attacker's ISP and file a complaint about them, reducing the chance of future attacks from the same address.

Be sure to set up config entries for any new services you install on your server and fail2ban will go a long way toward preventing system intrusions.

Ismail