fail2ban
Hello friends, Today we will see how to protect your server using Fail2ban.
Introduction
When we connect to our server through SSH, then there is a risk of compromising our server ,since SSH itself is a service that is exposed to internet . If you pay attention to application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike. So, Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
Installation
Use apt to install the package,
apt-get update
apt-get install fail2ban
Configure Fail2ban
Default Fail2ban configuration file is jail.conf(inside /etc/fail2ban), but this file is modified by package updates , so we won’t change this file instead we will create its copy as jail.local (within the same directory) and then modify that file.
Few important blocks inside jail.local :
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
destemail = root@localhost
sendername = Fail2Ban
mta = sendmail
action = $(action_)sThe ignoreip setting configures the source addresses that fail2ban ignores. By default, it is configured to not ban any traffic coming from the local machine. You could add additional addresses to ignore by adding a [DEFAULT] section with an ignoreip setting under it to the jail.local file. You can add additional addresses by appending them to the end of the directive, separated by a space.
The bantime parameter sets length of time that a client will be banned when they have failed to authenticate correctly. This is measured in seconds. By default, this is set to 600 seconds, or 10 minutes.
The next two parameters that you want to pay attention to are findtime and maxretry. These work together to establish the conditions under which a client is found to be an illegitimate user that should be banned.
The maxretry variable sets the number of tries a client has to authenticate within a window of time defined by findtime, before being banned. With the default settings, the fail2ban service will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.
You will want to evaluate the destemail, sendername, and mta settings if you wish to configure email alerts. The destemail parameter sets the email address that should receive ban messages. The sendername sets the value of the “From” field in the email. The mta parameter configures what mail service will be used to send mail.
This parameter configures the action that fail2ban takes when it wants to institute a ban. The value action_ is defined in the file shortly before this parameter. The default action is to simply configure the firewall to reject traffic from the offending host until the ban time elapses.
If you would like to configure email alerts, add or uncomment the action item to the jail.local file and change its value from action_ to action_mw. If you want the email to include the relevant log lines, you can change it to action_mwl. Make sure you have the appropriate mail settings configured if you choose to use mail alerts.
Individual Jail Settings
Each of these sections can be enabled by uncommenting the header in jail.local and changing the enabled line to be "true":
[jail_to_enable]
. . .
enabled = true
. . .For eg:
Look, for the SSH service , It is by defalut enabled, here we can set the port (our SSH port). If you want to override any values, you can do so by adding the appropriate service’s section to jail.local and modifying its values.
Some other settings that are set here are the filter that will be used to decide whether a line in a log indicates a failed authentication and the logpath which tells fail2ban where the logs for that particular service are located.
The filter value is actually a reference to a file located in the /etc/fail2ban/filter.d directory, with its .conf extension removed. These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt .
If you want to use , other that iptables firewall, like UFW , then change banaction(inside ssh block) from iptables-multiport to ufw-ssh.
You then configure fail2ban to use ufw in (one .conf file for each service)
/etc/fail2ban/action.d/ufw-ssh.conf
And the syntax is:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSHNote: You configure fail2ban to use ufw and to insert new rules FIRST using the “insert 1” syntax. The delete will find the rule regardless of order.
You can check your UFW firewall status using ufw status numbered
Lets look into another example: For instance, pretend that we are serving a website using Nginx and realize that a password-protected portion of our site is getting slammed with login attempts. We can tell fail2ban to use the nginx-http-auth.conf file to check for this condition within the /var/log/nginx/error.log file.
This is actually already set up in a section called [nginx-http-auth] in our /etc/fail2ban/jail.local file. We would just need to uncomment the section in the jail.local file and flip the enabled parameter to protect our service.
Now , Stop the fail2ban service for a moment so that we can establish a base firewall without the rules it adds.
Establish a Base Firewall
When this finished , we will now implement a default firewall(either UFW or iptables), in our case its iptables.
We’re going to tell it to allow established connections, traffic generated by the server itself, traffic destined for our SSH and web server ports. We will drop all other traffic. We can set this basic firewall up by typing:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A INPUT -j DROP
These commands will implement the above policy. We can see our current firewall rules by typing:
sudo iptables -S
You can save the firewalls so that they survive a reboot by typing:
sudo dpkg-reconfigure iptables-persistent
Afterwards, you can restart fail2ban to implement the wrapping rules:
sudo service fail2ban start
Testing the Banning Policies
Try to SSH into fail2ban server , with non-existent user name .
For Eg.
ssh blah@fail2ban_server_IP
Now from another server , ssh into the fail2ban server, and look for the new banned ip inside iptables using :
sudo iptables -S
You will see inside the output, somewhat like:
-A fail2ban-ssh -s 203.0.113.14/32 -j REJECT --reject-with icmp-port-unreachable
This is all for fail2ban. Fail2ban is very easy to set up, and is a great way to protect any kind of service that uses authentication.