fail2ban it’s available on Debian, Ubuntu, Gentoo, Arch, Suse and Fedora so on these distro you can use the standard package manager to install it (and his dependency), i.g aptitude install fail2ban, emerge net-analyzer/fail2ban.
usage
fail2ban is composed of 2 parts: a client and a server. The server (fail2ban-server) is multi-threaded and listens on a Unix socket for commands and to give to the client information in real time. The server itself knows nothing about the configuration files. Thus, at start-up, the server is in a “default” state in which no jails are defined.
fail2ban-client is the frontend of Fail2ban. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send a single command to the server using either the command line or the interactive mode (which is activated with the -i option).
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn’t have to include everything in the corresponding .conf file, only those settings that you wish to override. Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading.
General Configuration
The file fail2ban.conf contains general settings for the fail2ban-server daemon, such as the logging level and target. You can also specify here the socket path used for communication between the client and the server.
jails
The most important file is probably jail.conf, which contains the declaration of your jails.
The most importants parameters are:
Parameter Description
ignoreip List of IP to be Ignored, IP can be entered with a netmask /24 for example
bantime Duration (in seconds) for IP to be banned for.
findtime The counter is set to zero if no match is found within "findtime" seconds.
maxretry Number of matches (i.e. value of the counter) which triggers ban action on the IP.
action What to do when you reach maxretry, usually that ports is blocked for that IP.
port The service, or better the port that use the service that we want to control
filter Name of the filter to be used by the jail to detect matches (/etc/fail2ban/filter.d).
logpath Path to the log file which is provided to the filter
This is the classic example for ssh, check the log /var/log/auth.log using the filter sshd and if it find 6 attempts of attack closes the port 22 (default action).
This example for Apache is very similar, the difference are that blocks 2 ports (http and https) and check more log files.
Filters
The directory filter.d contains mainly regular expressions which are used to detect break-in attempts, password failures, etc. Here is an example for filter.d/sshd.conf with some possible regular expressions to match the lines of the logfile:
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(\)\s*$
^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$
Start the server
Once you have configured all the filters and services that you want to monitor you can start the server with the command:
sudo /etc/init.d/fail2ban start
Useful commands
To see all the configuration with the warning, we use the command:
