fail2ban-logo

How to install and configure fail2ban

Reducing your attack area is ideal but in the situations where you need to expose services to the wild, you should reduce the effectiveness of attacks, this is where Fail2Ban comes in handy, it constantly reads logs you specify in the configuration file for multiple user pass attempts, if detected it blocks the source IP for a set amount of time.

A Blerb from the Fail2Ban Wiki site:
Fail2Ban scans log files and bans IPs showing the malicious signs of too many password failures. Generally Fail2Ban updates firewall rules to reject the IP address for a specified amount of time, although any other actions can be triggered such as sending an email. Fail2Ban comes with filters for various services such as Apache, SSH, FTP etc.

Installation

Requirements: Python > 2.3

Source

  1. Log into the server
  2. su – root
  3. wget the source file
  4. tar xvf *.tar.gz

Debain

  1. Log into the server
  2. su – root
  3. apt-get update
  4. apt-get install fail2ban

Configuration

Configuration files will be located at /etc/fail2ban.

/ETC/FAIL2BAN/JAIL.CONF

The DEFAULT allows a global definition of the options; they can be overwritten in each jail afterwards.

ignoreip = (configured with 127.0.0.1 as a local loopback, I would suggest configuring other local network addresses that you will be connecting from and any outside addresses)

maxretry = (by default 5, maximum number of failed login attempts before a host is blocked by fail2ban)

bantime = (by default 600 and is calculated by seconds, host is blocked if caught by fail2ban)

SERVICE CONFIGURATIONS

Fail2ban can be configured on many different services; an example enabled by default in jail.conf is ssh:

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
action = iptables

  • enabled: true/false – Enables or disables checking the ssh logs
  • port: service port – (referenced in /etc/services)
  • filter: – Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d’, without the “.conf” extension.
  • Logpath: – The log file that fail2ban checks for failed login attempts
  • Action: – This options tells fail2ban which action to take once a filter matches. This name corresponds to a file name in /etc/fail2ban/action.d without the “.conf” extension.

Filters

The directory for filters is located in /etc/fail2ban/filter.d
Filters contain expressions that are used to detect break-in attempts, password failures for the different services.

Actions

The directory for actions is located in /etc/fail2ban/actions.d
Actions contain different scripts defining actions to be taken when a break-in attempt is triggered. Multiple actions can be defined by adding addition “actions” lines.

Example:

action = iptables
action = sendmail

Service Control

Once all configured, you can stop and start the Fail2Ban service daemon. All commands without the “#”!

# /etc/init.d/fail2ban stop
# /etc/init.d/fail2ban start

You can also check the status of the service

# /etc/init.d/fail2ban status
“Status of authentication failure monitor:fail2ban is running”

You can restart the service instead of executing the stop and start command

# /etc/init.d/fail2ban restart

If you have only changed the configuration, you can reload it to make it effective without restarting the services

# /etc/inid.d/fail2ban/force-reload

My Testing

I installed and configured this on my own shell and ran Hydra against it from BackTrack, the results where interesting to say the least, it looked like it didn’t affect Hydra at all but after stopping the attack and trying to shell to the server, the connection was refused.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

One Response to “How to install and configure fail2ban on Linux”

  1. Dave

    Don”t forget about “findtime” which should be set to about 600 seconds.

    You can also add on extra features as part of the “action” variable, eg:

    action = iptables[name=ssh,port=22,protocol=tcp]
    mail[name=SSH,dest=john@website.com]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.