Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
Fail2ban is a log parser. It cannot do anything before something is written in the log files.
See also: Security - Abuse Detection
fail2ban-client --version
Fail2Ban v0.9.7
The log is configured in fail2ban.conf
Default:
/var/log/fail2ban.log
Example:
2019-11-04 19:48:06,119 fail2ban.server [3291]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database [3291]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail [3291]: INFO Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail [3291]: INFO Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail [3291]: INFO Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter [3291]: INFO Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter [3291]: INFO Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions [3291]: INFO Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter [3291]: INFO Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter [3291]: INFO Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd [3291]: INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail [3291]: INFO Jail 'sshd' started
Fail2ban has four configuration file types in /etc/fail2ban/:
Distribution | Custom (local) | Description |
---|---|---|
fail2ban.conf | fail2ban.local | Fail2Ban global configuration (such as logging) |
filter.d/*.conf | NA | - Filters specifying how to detect authentication failures |
action.d/*.conf | NA | Actions defining the commands for banning and unbanning of IP address |
jail.conf | /etc/fail2ban/jail.local | Jails defining combinations of Filters with Actions |
where:
The .local files overrides configuration in the .conf file. The custom configuration should be done in .local files because the .conf files may be overwritten in the next release.
From less to more important
The section of the configuration file defined the scope of each properties. ie:
[DEFAULT]
... default properties (ie for all services)
[jail]
... properties for only the jail ''jail'' (ie the service)
To be banned, a user must have maxretry failed authentication within the findtime window of time
Parameters:
# default 10 minutes
bantime = 600
# an half hour
bantime = 1800
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc)
# This variable is used in the action_* variables.
banaction = iptables-multiport
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
Other:
A jail is just a configuration for a service
[sshd]
...
enabled = true
...
In directory /etc/fail2ban/filters.d
These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.
ll /etc/fail2ban/filter.d
total 348
-rw-r--r-- 1 root root 442 May 11 2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11 2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11 2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11 2017 apache-botsearch.conf
-rw-r--r-- 1 root root 813 May 11 2017 apache-common.conf
-rw-r--r-- 1 root root 268 May 11 2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root 487 May 11 2017 apache-modsecurity.conf
-rw-r--r-- 1 root root 596 May 11 2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11 2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11 2017 apache-overflows.conf
-rw-r--r-- 1 root root 346 May 11 2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11 2017 apache-shellshock.conf
..........
Format:
See testing happens with the fail2ban-regex utility
fail2ban-regex logFile filter
# example
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf
[sshd]
filter = sshd-aggressive
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Test:
ssh bad_user@server:2222
ssh bad_user@server:2222
ssh bad_user@server:2222
sudo iptables -S
....
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable
...