Fail2ban

> Operating System - Kernel (Windows, Unix, Linux) > Linux / Unix

1 - About

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

3 - Management

3.1 - Version

fail2ban-client --version
Fail2Ban v0.9.7
Advertising

3.2 - Log

The log is configured in fail2ban.conf

Default:

/var/log/fail2ban.log

Example:

2019-11-04 19:48:06,119 fail2ban.server         [3291]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database       [3291]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database       [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail           [3291]: INFO    Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail           [3291]: INFO    Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail           [3291]: INFO    Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter         [3291]: INFO    Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter         [3291]: INFO    Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions        [3291]: INFO    Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd  [3291]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail           [3291]: INFO    Jail 'sshd' started

4 - Configuration

4.1 - File

Fail2ban has four configuration file types in /etc/fail2ban/:

Distribution Custom (local) Description
fail2ban.conf fail2ban.local Fail2Ban global configuration (such as logging)
filter.d/*.conf NA - Filters specifying how to detect authentication failures
action.d/*.conf NA Actions defining the commands for banning and unbanning of IP address
jail.conf /etc/fail2ban/jail.local Jails defining combinations of Filters with Actions

where:

  • custom is where the configuration customization should be saved. (only the settings you would like to change)
  • distribution are the files distributed with the installation and should not be modified.
Advertising

4.2 - Order of precedence

From less to more important

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).

4.3 - Section

The section of the configuration file defined the scope of each properties. ie:

jail.conf
[DEFAULT]
... default properties (ie for all services)
[jail]
... properties for only the jail ''jail'' (ie the service)

5 - Properties

5.1 - Ban conditions

To be banned, a user must have maxretry failed authentication within the findtime window of time

Parameters:

  • maxretry: the number of try
  • findtime: the time window
Advertising

5.2 - Ban Properties

  • bantime: the ban time duration in the second before the ban is lifted. See new feature in 0.11 baantime.increment to increment the baantime automatically.
# default 10 minutes
bantime = 600
# an half hour 
bantime = 1800
  • Port
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
  • the default banaction (ie ban method) used in the definition of an action
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) 
# This variable is used in the action_* variables. 
banaction = iptables-multiport

5.3 - Ban Actions

  • The default action is action_ (see below for the meaning of this action)
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
  • All actions are defined with the format action_…. Example
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Other:

  • action_mw ban & send an e-mail with whois report to the destemail.
  • action_mwl same as action_mw and emails the relevant log lines.
  • action_xarf

5.4 - Jail

A jail is just a configuration for a service

[sshd]
...
enabled = true
...

5.5 - Filter

In directory /etc/fail2ban/filters.d

These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.

ll /etc/fail2ban/filter.d
total 348
-rw-r--r-- 1 root root  442 May 11  2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11  2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11  2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11  2017 apache-botsearch.conf
-rw-r--r-- 1 root root  813 May 11  2017 apache-common.conf
-rw-r--r-- 1 root root  268 May 11  2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root  487 May 11  2017 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 May 11  2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11  2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11  2017 apache-overflows.conf
-rw-r--r-- 1 root root  346 May 11  2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11  2017 apache-shellshock.conf
..........

6 - Example

6.1 - sshd

The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf

/etc/fail2ban/jail.local
[sshd]
filter = sshd-aggressive
enabled     = true
port        = 2222
filter      = sshd
logpath     = /var/log/auth.log
maxretry    = 3

Test:

  • 3 unsuccessful authentication
ssh bad_user@server:2222
ssh bad_user@server:2222
ssh bad_user@server:2222
  • Iptable should have been updated
sudo iptables -S
....
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable
...

7 - Documentation / Help