Fail2ban

1 - About

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Fail2ban is a log parser. It cannot do anything before something is written in the log files.

See also: Security - Abuse Detection

3 - Management

3.1 - Version


fail2ban-client --version


Fail2Ban v0.9.7

3.2 - Log

The log is configured in fail2ban.conf

Default:


/var/log/fail2ban.log

Example:


2019-11-04 19:48:06,119 fail2ban.server         [3291]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database       [3291]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database       [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail           [3291]: INFO    Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail           [3291]: INFO    Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail           [3291]: INFO    Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter         [3291]: INFO    Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter         [3291]: INFO    Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions        [3291]: INFO    Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd  [3291]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail           [3291]: INFO    Jail 'sshd' started

4 - Configuration

4.1 - File

Fail2ban has four configuration file types in /etc/fail2ban/:

Distribution Custom (local) Description
fail2ban.conf fail2ban.local Fail2Ban global configuration (such as logging)
filter.d/*.conf NA - Filters specifying how to detect authentication failures
action.d/*.conf NA Actions defining the commands for banning and unbanning of IP address
jail.conf /etc/fail2ban/jail.local Jails defining combinations of Filters with Actions

where:

  • custom is where the configuration customization should be saved. (only the settings you would like to change)
  • distribution are the files distributed with the installation and should not be modified.
The .local files overrides configuration in the .conf file. The custom configuration should be done in .local files because the .conf files may be overwritten in the next release.

4.2 - Order of precedence

From less to more important

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

4.3 - Section

The section of the configuration file defined the scope of each properties. ie:

  • global
  • or by jail (Configuration for a service)

[DEFAULT]
... default properties (ie for all services)
[jail]
... properties for only the jail ''jail'' (ie the service)

5 - Properties

5.1 - Ban conditions

To be banned, a user must have maxretry failed authentication within the findtime window of time

Parameters:

  • maxretry: the number of try
  • findtime: the time window

5.2 - Ban Properties

  • bantime: the ban time duration in the second before the ban is lifted. See new feature in 0.11 baantime.increment to increment the baantime automatically.

# default 10 minutes
bantime = 600
# an half hour 
bantime = 1800

  • Port

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

  • the default banaction (ie ban method) used in the definition of an action

# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) 
# This variable is used in the action_* variables. 
banaction = iptables-multiport

5.3 - Ban Actions

  • The default action is action_ (see below for the meaning of this action)

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

  • All actions are defined with the format action_…. Example

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Other:

  • action_mw ban & send an e-mail with whois report to the destemail.
  • action_mwl same as action_mw and emails the relevant log lines.
  • action_xarf

5.4 - Jail

A jail is just a configuration for a service


[sshd]
...
enabled = true
...

5.5 - Filter

In directory /etc/fail2ban/filters.d

These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.


ll /etc/fail2ban/filter.d


total 348
-rw-r--r-- 1 root root  442 May 11  2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11  2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11  2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11  2017 apache-botsearch.conf
-rw-r--r-- 1 root root  813 May 11  2017 apache-common.conf
-rw-r--r-- 1 root root  268 May 11  2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root  487 May 11  2017 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 May 11  2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11  2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11  2017 apache-overflows.conf
-rw-r--r-- 1 root root  346 May 11  2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11  2017 apache-shellshock.conf
..........

Format:

  • The [INCLUDES] section header specifies other filter files that are included:
    • before
    • or after

6 - Test

See testing happens with the fail2ban-regex utility


fail2ban-regex logFile filter
# example
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

7 - Example

7.1 - sshd

The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf


[sshd]
filter = sshd-aggressive
enabled     = true
port        = 2222
filter      = sshd
logpath     = /var/log/auth.log
maxretry    = 3

Test:

  • 3 unsuccessful authentication

ssh [email protected]:2222
ssh [email protected]:2222
ssh [email protected]:2222

  • Iptable should have been updated

sudo iptables -S


....
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable
...

8 - Documentation / Help

8.1 - Nginx


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap