Secure with Fail2Ban


What is Fail2Ban

Fail2Ban is an intrusion-prevention framework written in Python. The basic idea behind Fail2ban is to secure server by monitoring the logs of common services to spot patterns in authentication failures. It works by reading your SSH, Apache and other outward-facing internet service logs for signs of an attack.

 If your service requires authentication, illegitimate users and bots will attempt to break into your system by continuously trying to authenticate using different credentials. Therefore your sites will be protected from brute-force attacks.

Fail2ban works by dynamically altering the iptables rules to temporary blacklists against addresses which have exceeded certain number of failed login attempts. The filter is designed to identify authentication failures for that specific service through the use of complex regular expressions. It defines these regular expression patterns into a variable called failregex.

Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise, because the login page should be protected from abusers otherwise it will waste you bandwidth through continuously hitting login pages. 

How its works?

First, it reads in its core conf files. �.conf and .local� for its marching orders. 

Any IP addresses you want it to ignore, place them in the jail.local under the ignoreip setting.

 jail.local file you need to set the following parameters: bantime, findtime, and maxretry

* bantime: This is the length of time in seconds for which an IP is banned. If you set this to a negative number, the ban will be permanent. The default value of 600 bans an IP for a 10 minutes. I prefer to set this longer, 3,600, an hour.

* findtime: This is length of time between unsuccessful login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after 5 failed login attempts, those 5 attempts must occur within the set 10-minute findtime limit. That default works for me. Findtime, like bantime, is set in seconds. So if you wanted to block an IP address after 5 failures in five minutes, you should set findtime to 300.

* maxretry: This sets the maximum number of failed attempts that can be made to access the server from a single IP before a ban is imposed. The default is set to 3. I think that is a reasonable number.

How to set it up

There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually Its configuration files go into /etc/fail2ban
The generic, default configuration goes into .conf files (fail2ban.conf and jail.conf). Don't change these, as it makes upgrading difficult. Overrides to the generic configuration go into .local files corresponding to the .conf files. These only need to contain the specific settings you want overridden, which helps maintainability.
Filters go into filter.d  this is where you define regexps, each going into its own file
Actions go into action.d  you probably won't need to add one, but it's handy to know what's available
"jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds)
Jails are defined in jail.conf and jail.local. Don't forget the enabled setting for each one, it can be as bad to have the wrong ones enabled as to have the right ones disabled.
Running Fail2Ban

Use /etc/init.d/fail2ban {start|stop|status} for the obvious operations
Use fail2ban-client -d to get it to dump its current configuration to STDOUT. Very useful for troubleshooting.
Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp. It can log either to syslog or a file, whichever suits your needs better

Installtion :

For CentOS-Redhat servers
#yum install fail2ban

For Debian-ubundu servers
#apt-get -y install fail2ban
Common rules 

#vi /etc/fail2ban/jail.local

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


[ssh-iptables]

enabled  = false

[apache-shorewall]

enabled  = true
filter   = cac-login
action   = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling


Custom rules:

Configuring for WordPress login
The following is an example only, and you should adjust it for your site.

filter.d/wordpress-login.conf

[Definition]

failregex = <HOST>.*"GET /wp-login*

ignoreregex =

Configuring for JIRA
The following is an example only, and you should adjust it for your site.

filter.d/jira-login.conf

[Definition]

failregex = <HOST>.*"GET /login.jsp

ignoreregex =


To check query the status of fial2ban, use the below command. It shows which IP addresses are currently banned.

fail2ban-client status
(overall status)

fail2ban-client status jail_name    
(for any indidual jail)















Find the Fail2ban's log for a record of recent actions

/var/log/fail2ban.log
Fail2Ban is available at fail2ban.org as well as more documentation.
More information can be found at Fail2ban official page:
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal
Facebook Comments