Fail2ban scans log files for various services ( SSH, FTP, SMTP, Apache, etc., ) and bans the IP that makes too many password failures. It also updates the firewall rules to reject these ip addresses.
Fail2ban is an intrusion prevention framework written in the Python programming language.
Main purpose of Fail2ban is to prevent brute force login attacks.
Also, refer to our earlier article on Tripwire (Linux host based intrusion detection system).
Install Fail2ban
To install fail2ban from source, download it from sourceforge..
Use apt-get to install Fail2ban on a Debian based system as shown below.
# apt-get install fail2ban
You can also install Fail2ban manually by downloading the fail2ban deb package.
# dpkg -i fail2ban_0.8.1-1_all.deb
How to configure fail2ban
All Fail2ban configuration files are located under the /etc/fail2ban directory.
/etc/fail2ban/fail2ban.conf
Main purpose of this file is to configure fail2ban log related directives.
- Loglevel: Set the log level output.
- logtarget : Specify the log file path
Actions taken by the Fail2ban are logged in the /var/log/fail2ban.log file. You can change the verbosity in the conf file to one of: 1 – ERROR, 2 – WARN, 3 – INFO or 4 – DEBUG.
/etc/fail2ban/jail.conf
jail.conf file contains the declaration of the service configurations. This configuration file is broken up into different contexts. The DEFAULT settings apply to all sections.
The following DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).
[DEFAULT] ignoreip = 127.0.0.1 maxretry = 5 findtime = 600 bantime = 600
- ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
- maxretry: Maximum number of failed login attempts before a host is blocked by fail2ban.
- bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
Service Configurations
By default, some services are inserted as templates. Following is an example of the ssh services section.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log action = iptables
- enabled : Enable the fail2ban checking for ssh service
- port: service port ( referred in /etc/services file )
- filter: Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’.
- logpath: The log file that fail2ban checks for failed login attempts.
- Action: This option tells fail2ban which action to take once a filter matches. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.
Fail2ban will monitor the /var/log/auth.log file for failed access attempts, and if it finds repeated failed ssh login attempts from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with fail2ban iptables firewall rule.
Fail2ban Filters
The directory /etc/fail2ban/filter.d contains regular expressions that are used to detect break-in attempts, password failures, etc., for various services.
For example:
- sshd.conf – Fail2ban ssh related filters
- apache-auth.conf – Fail2ban apache service filters
We can also add our own regular expression to find unwanted action.
Fail2ban Actions
The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.
For example:
- IPtables.conf – block & unblock IP address
- Mail.conf – Sending mail to configured user
Start/Stop Fail2ban Service
After making configuration changes stop and start the Fail2ban daemon as shown below.
# /etc/init.d/fail2ban stop # /etc/init.d/fail2ban start
