Fail2ban

About

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Fail2ban is a log parser. It cannot do anything before something is written in the log files.

See also: Security - Abuse Detection

Management

Version

fail2ban-client --version
Fail2Ban v0.9.7

Log

The log is configured in fail2ban.conf

Default:

/var/log/fail2ban.log

Example:

2019-11-04 19:48:06,119 fail2ban.server         [3291]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database       [3291]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database       [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail           [3291]: INFO    Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail           [3291]: INFO    Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail           [3291]: INFO    Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter         [3291]: INFO    Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter         [3291]: INFO    Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions        [3291]: INFO    Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd  [3291]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail           [3291]: INFO    Jail 'sshd' started

Configuration

File

Fail2ban has four configuration file types in /etc/fail2ban/:

Distribution Custom (local) Description
fail2ban.conf fail2ban.local Fail2Ban global configuration (such as logging)
filter.d/*.conf NA - Filters specifying how to detect authentication failures
action.d/*.conf NA Actions defining the commands for banning and unbanning of IP address
jail.conf /etc/fail2ban/jail.local Jails defining combinations of Filters with Actions

where:

  • custom is where the configuration customization should be saved. (only the settings you would like to change)
  • distribution are the files distributed with the installation and should not be modified.

The .local files overrides configuration in the .conf file. The custom configuration should be done in .local files because the .conf files may be overwritten in the next release.

Order of precedence

From less to more important

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

Section

The section of the configuration file defined the scope of each properties. ie:

  • global
  • or by jail (Configuration for a service)
[DEFAULT]
... default properties (ie for all services)
[jail]
... properties for only the jail ''jail'' (ie the service)

Properties

Ban conditions

To be banned, a user must have maxretry failed authentication within the findtime window of time

Parameters:

  • maxretry: the number of try
  • findtime: the time window

Ban Properties

  • bantime: the ban time duration in the second before the ban is lifted. See new feature in 0.11 baantime.increment to increment the baantime automatically.
# default 10 minutes
bantime = 600
# an half hour 
bantime = 1800
  • Port
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
  • the default banaction (ie ban method) used in the definition of an action
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) 
# This variable is used in the action_* variables. 
banaction = iptables-multiport

Ban Actions

  • The default action is action_ (see below for the meaning of this action)
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
  • All actions are defined with the format action_…. Example
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Other:

  • action_mw ban & send an e-mail with whois report to the destemail.
  • action_mwl same as action_mw and emails the relevant log lines.
  • action_xarf

Jail

A jail is just a configuration for a service

[sshd]
...
enabled = true
...

Filter

In directory /etc/fail2ban/filters.d

These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.

ll /etc/fail2ban/filter.d
total 348
-rw-r--r-- 1 root root  442 May 11  2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11  2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11  2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11  2017 apache-botsearch.conf
-rw-r--r-- 1 root root  813 May 11  2017 apache-common.conf
-rw-r--r-- 1 root root  268 May 11  2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root  487 May 11  2017 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 May 11  2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11  2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11  2017 apache-overflows.conf
-rw-r--r-- 1 root root  346 May 11  2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11  2017 apache-shellshock.conf
..........

Format:

  • The [INCLUDES] section header specifies other filter files that are included:
    • before
    • or after

Test

See testing happens with the fail2ban-regex utility

fail2ban-regex logFile filter
# example
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Example

sshd

The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf

[sshd]
filter = sshd-aggressive
enabled     = true
port        = 2222
filter      = sshd
logpath     = /var/log/auth.log
maxretry    = 3

Test:

  • 3 unsuccessful authentication
ssh bad_user@server:2222
ssh bad_user@server:2222
ssh bad_user@server:2222
  • Iptable should have been updated
sudo iptables -S
....
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable
...

Documentation / Help

Nginx





Discover More
Thomas Bayes
Data Mining - Intrusion detection systems (IDS) / Intrusion Prevention / Misuse

Classical security mechanisms, i.e. authentication and encryption, and infrastructure components like firewalls cannot provide perfect security. Therefore, intrusion detection systems (IDS) have been...
Recaptcha
How can I protect myself from Bad Bot (Spambot, Attacker )?

Bad Bots are robots with bad intentions. They are also known as attackers. They walk through: web pages trying to find a form and to fill them trying: to send email in mass to create a fake...
Security - Brut Force Attack

brut force attack is another word for password guessing. This is a brut attack. Strong password Wait time after false attempt



Share this page:
Follow us:
Task Runner