Installing And Using Fail2Ban

Fail2Ban is a firewall application that looks at your log files all the time, if it sees something in the logs that triggers a rule you set (called jails) such as X failed ssh login attempts, it will ban the offending ip for X seconds

Installing Fail2Ban

sudo apt-get install fail2ban

Configure Fail2Ban

Copy the example configuration over

cd /etc/fail2ban
sudo cp jail.conf jail.local

Open the configuration file for editing

sudo gedit jail.local

Modify The Default Settings

In the default section of the configuration file you will find the following entries. Make sure your ignoreip setting is set as below to make sure fail2ban bypasses any log file entries that come from the server itself.

The bantime and maxretry entries are generic settings for setting how long fail2ban will block the offending ip address and how many times an entry has to show up in a log file before a banning action is taken. These settings will be the default bantime and maxretry settings for all jails but can be overridden in each jail configuration.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 3

Getting Email Notifications Of Banned IP's

You need to have sendmail or another mail transfer agent installed in order for this function to work....installing and configuring that is out of the scope of this how to.

In the configuration file look for the line below and change the email address to your email address.

destemail = your_email@domain.com

Then look for the following line

action = %(action_)s

and change it to

action = %(action_mw)s

This will send an email to you every time fail2ban bans an ipaddress. It will also include whois information for the ip address.

Jail Configuration

Jails are the rules which fail2ban uses to analyze logs and then take action on. Some of the sections below may be included in your configuration file. If they are feel free to modify them like below, if the following don't exist you can copy and paste the following to protect each given service. If you don't run the service there's no need to add the jail. Each jail section is pretty much the same:

[NAME_OF_SERVICE]

enabled = true                [[ TO TURN ON THE JAIL ]]
port    = ssh                 [[ THE PORT TO LISTEN ON, IF NOT DEFAULT PORT SPECIFY THE NUMERIC PORT HERE ]]
filter  = sshd                [[ NAME OF THE FILTER ]]
logpath  = /var/log/auth.log  [[ LOG FILE FAIL2BAN LOOKS AT TO CHECK FOR JAIL ]]
maxretry = 3                  [[ IT TAKES 3 ENTRIES IN THE LOG FILE FOR AN OFFENDING IP TO GET BLOCKED ]]

Below are some jails that come with Fail2Ban by default and help protect them. Feel free to tweak them as your site needs/allows

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3


[ssh-ddos]

enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3


[apache]

enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6


[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6


[apache-noscript]

enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6


[apache-overflows]

enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2


[apache-badbots]
enabled = true
port = http
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 6


[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

Start Fail2Ban Service

Once done, restart fail2ban to put your settings into effect

sudo /etc/init.d/fail2ban restart

Testing Installation

To test fail2ban, look at iptable rules

sudo iptables -L

Attempt to trigger a service that fail2ban is monitoring (from another machine as any local traffic fail2ban will not be analyzed)....such as log into ssh 3 times and put in a wrong password....then look at the iptable rules again to see if your ip address is blocked

Add Custom Filters

If you wish to tweak or add log filters, you can add them in: /etc/fail2ban/filter.d

There are lots of third party scripts out there that you can get and add onto your installtion for things like oracle / postgres / sendmail / etc etc etc

Just remember to add them to your jail's as well and restart the fail2ban service in order to activate them

Menu