How to stop bruteforce attacks with fail2ban
fail2ban it’s available on Debian, Ubuntu, Gentoo, Arch, Suse and Fedora so on these distro you can use the standard package manager to install it (and his dependency), i.g aptitude install fail2ban, emerge net-analyzer/fail2ban.
fail2ban is composed of 2 parts: a client and a server. The server (fail2ban-server) is multi-threaded and listens on a Unix socket for commands and to give to the client information in real time. The server itself knows nothing about the configuration files. Thus, at start-up, the server is in a “default” state in which no jails are defined.
fail2ban-client is the frontend of Fail2ban. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send a single command to the server using either the command line or the interactive mode (which is activated with the -i option).
A typical configuration look like this:
/etc/fail2ban/ ├── action.d │ ├── dummy.conf │ ├── hostsdeny.conf │ ├── iptables.conf │ ├── mail-whois.conf │ ├── mail.conf │ └── shorewall.conf ├── fail2ban.conf ├── fail2ban.local ├── filter.d │ ├── apache-auth.conf │ ├── apache-noscript.conf │ ├── couriersmtp.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── qmail.conf │ ├── sasl.conf │ ├── sshd.conf │ └── vsftpd.conf ├── jail.conf └── jail.local
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn’t have to include everything in the corresponding .conf file, only those settings that you wish to override. Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading.
The file fail2ban.conf contains general settings for the fail2ban-server daemon, such as the logging level and target. You can also specify here the socket path used for communication between the client and the server.
The most important file is probably jail.conf, which contains the declaration of your jails.
The most importants parameters are:
Parameter Description ignoreip List of IP to be Ignored, IP can be entered with a netmask /24 for example bantime Duration (in seconds) for IP to be banned for. findtime The counter is set to zero if no match is found within "findtime" seconds. maxretry Number of matches (i.e. value of the counter) which triggers ban action on the IP. action What to do when you reach maxretry, usually that ports is blocked for that IP. port The service, or better the port that use the service that we want to control filter Name of the filter to be used by the jail to detect matches (/etc/fail2ban/filter.d). logpath Path to the log file which is provided to the filter
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
This is the classic example for ssh, check the log /var/log/auth.log using the filter sshd and if it find 6 attempts of attack closes the port 22 (default action).
[apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
This example for Apache is very similar, the difference are that blocks 2 ports (http and https) and check more log files.
The directory filter.d contains mainly regular expressions which are used to detect break-in attempts, password failures, etc. Here is an example for filter.d/sshd.conf with some possible regular expressions to match the lines of the logfile:
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$
Start the server
Once you have configured all the filters and services that you want to monitor you can start the server with the command:
sudo /etc/init.d/fail2ban start
To see all the configuration with the warning, we use the command:
We can test the regular expressions of a filter:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
To see who has been banned:
From minute 7.00 for a short guide to fail2ban