About
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
Fail2ban is a log parser. It cannot do anything before something is written in the log files.
See also: Security - Abuse Detection
Articles Related
Management
Version
fail2ban-client --version
Fail2Ban v0.9.7
Log
The log is configured in fail2ban.conf
Default:
/var/log/fail2ban.log
Example:
2019-11-04 19:48:06,119 fail2ban.server [3291]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database [3291]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail [3291]: INFO Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail [3291]: INFO Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail [3291]: INFO Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter [3291]: INFO Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter [3291]: INFO Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions [3291]: INFO Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter [3291]: INFO Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter [3291]: INFO Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd [3291]: INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail [3291]: INFO Jail 'sshd' started
Configuration
File
Fail2ban has four configuration file types in /etc/fail2ban/:
Distribution | Custom (local) | Description |
---|---|---|
fail2ban.conf | fail2ban.local | Fail2Ban global configuration (such as logging) |
filter.d/*.conf | NA | - Filters specifying how to detect authentication failures |
action.d/*.conf | NA | Actions defining the commands for banning and unbanning of IP address |
jail.conf | /etc/fail2ban/jail.local | Jails defining combinations of Filters with Actions |
where:
- custom is where the configuration customization should be saved. (only the settings you would like to change)
- distribution are the files distributed with the installation and should not be modified.
The .local files overrides configuration in the .conf file. The custom configuration should be done in .local files because the .conf files may be overwritten in the next release.
Order of precedence
From less to more important
- jail.conf
- jail.d/*.conf (in alphabetical order)
- jail.local
- jail.d/*.local (in alphabetical order).
Section
The section of the configuration file defined the scope of each properties. ie:
- global
- or by jail (Configuration for a service)
[DEFAULT]
... default properties (ie for all services)
[jail]
... properties for only the jail ''jail'' (ie the service)
Properties
Ban conditions
To be banned, a user must have maxretry failed authentication within the findtime window of time
Parameters:
- maxretry: the number of try
- findtime: the time window
Ban Properties
- bantime: the ban time duration in the second before the ban is lifted. See new feature in 0.11 baantime.increment to increment the baantime automatically.
# default 10 minutes
bantime = 600
# an half hour
bantime = 1800
- Port
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
- the default banaction (ie ban method) used in the definition of an action
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc)
# This variable is used in the action_* variables.
banaction = iptables-multiport
Ban Actions
- The default action is action_ (see below for the meaning of this action)
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
- All actions are defined with the format action_…. Example
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
Other:
- action_mw ban & send an e-mail with whois report to the destemail.
- action_mwl same as action_mw and emails the relevant log lines.
- action_xarf
- …
Jail
A jail is just a configuration for a service
[sshd]
...
enabled = true
...
Filter
In directory /etc/fail2ban/filters.d
These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.
ll /etc/fail2ban/filter.d
total 348
-rw-r--r-- 1 root root 442 May 11 2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11 2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11 2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11 2017 apache-botsearch.conf
-rw-r--r-- 1 root root 813 May 11 2017 apache-common.conf
-rw-r--r-- 1 root root 268 May 11 2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root 487 May 11 2017 apache-modsecurity.conf
-rw-r--r-- 1 root root 596 May 11 2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11 2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11 2017 apache-overflows.conf
-rw-r--r-- 1 root root 346 May 11 2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11 2017 apache-shellshock.conf
..........
Format:
- The [INCLUDES] section header specifies other filter files that are included:
- before
- or after
Test
See testing happens with the fail2ban-regex utility
fail2ban-regex logFile filter
# example
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Example
sshd
The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf
[sshd]
filter = sshd-aggressive
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Test:
- 3 unsuccessful authentication
ssh bad_user@server:2222
ssh bad_user@server:2222
ssh bad_user@server:2222
- Iptable should have been updated
sudo iptables -S
....
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable
...