How to stop bruteforce attacks with fail2ban

Installation

fail2ban it’s available on Debian, Ubuntu, Gentoo, Arch, Suse and Fedora so on these distro you can use the standard package manager to install it (and his dependency), i.g aptitude install fail2ban, emerge net-analyzer/fail2ban.

usage

fail2ban is composed of 2 parts: a client and a server. The server (fail2ban-server) is multi-threaded and listens on a Unix socket for commands and to give to the client information in real time. The server itself knows nothing about the configuration files. Thus, at start-up, the server is in a “default” state in which no jails are defined.

fail2ban-client is the frontend of Fail2ban. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send a single command to the server using either the command line or the interactive mode (which is activated with the -i option).

Configuration

A typical configuration look like this:

/etc/fail2ban/
├── action.d
│   ├── dummy.conf
│   ├── hostsdeny.conf
│   ├── iptables.conf
│   ├── mail-whois.conf
│   ├── mail.conf
│   └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│   ├── apache-auth.conf
│   ├── apache-noscript.conf
│   ├── couriersmtp.conf
│   ├── postfix.conf
│   ├── proftpd.conf
│   ├── qmail.conf
│   ├── sasl.conf
│   ├── sshd.conf
│   └── vsftpd.conf
├── jail.conf
└── jail.local

Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn’t have to include everything in the corresponding .conf file, only those settings that you wish to override. Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading.

General Configuration

The file fail2ban.conf contains general settings for the fail2ban-server daemon, such as the logging level and target. You can also specify here the socket path used for communication between the client and the server.

jails

The most important file is probably jail.conf, which contains the declaration of your jails.
The most importants parameters are:

Parameter	Description
ignoreip	List of IP to be Ignored, IP can be entered with a netmask /24 for example
bantime	        Duration (in seconds) for IP to be banned for.
findtime	The counter is set to zero if no match is found within "findtime" seconds.
maxretry	Number of matches (i.e. value of the counter) which triggers ban action on the IP.
action	        What to do when you reach maxretry, usually that ports is blocked for that IP.
port	        The service, or better the port that use the service that we want to control
filter	        Name of the filter to be used by the jail to detect matches (/etc/fail2ban/filter.d).
logpath	        Path to the log file which is provided to the filter

Examples:

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

This is the classic example for ssh, check the log /var/log/auth.log using the filter sshd and if it find 6 attempts of attack closes the port 22 (default action).

[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

This example for Apache is very similar, the difference are that blocks 2 ports (http and https) and check more log files.

Filters

The directory filter.d contains mainly regular expressions which are used to detect break-in attempts, password failures, etc. Here is an example for filter.d/sshd.conf with some possible regular expressions to match the lines of the logfile:

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$
            ^%(__prefix_line)sUser .+ from  not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(\)\s*$
            ^%(__prefix_line)sAddress  .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from  not allowed because none of user's groups are listed in AllowGroups\s*$

Start the server

Once you have configured all the filters and services that you want to monitor you can start the server with the command:

sudo /etc/init.d/fail2ban start

Useful commands

To see all the configuration with the warning, we use the command:

fail2ban-client -d

We can test the regular expressions of a filter:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

To see who has been banned:

iptables -L

References:

Examples of configurations
Fail2ban howto

From minute 7.00 for a short guide to fail2ban

via Linuxaria

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: