Secure Your Linux Server with Fail2Ban

Fail2Ban monitors log files to determine if someone who is trying to gain access is a legitimate user. If they aren't, they get banned temporarily by their IP address. Policies can be setup in conjunction with a firewall to log failed access attempts and drop traffic for a period of time, preventing a would-be attacker from even attempting to access your services.

fail2ban-logo4341e.jpg

source

This is a continuation from 3 previous parts:


Installation

sudo apt-get update

sudo apt-get install fail2ban

sudo apt-get install sendmail (optional)

Together: sudo apt-get install fail2ban sendmail

Given the previous guide for UFW being done, turn it on and allow ssh as an example.

ufw enable
ufw allow ssh

Configuration

Here is where the config is located:

/etc/fail2ban/jail.conf

We don't edit that file though. We make a copy and comment out the contents like so:

awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

This file jail.local will override the defaults in jail.conf, so we just add any changes there instead.

Let's see how the original file looks:

sudo nano /etc/fail2ban/jail.conf

Editing configuration

If you want to exempt your own IP from multiple login security, open:

sudo nano /etc/fail2ban/jail.local

and add somewhere in the the following (or you can uncomment each section by removing the #):

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89

127... is for the local server itself, and then 123... is an example of your own IP. This applies to all jails for all programs. If you want to whitelist an IP per jail section, like ssh, use the command: fail2ban-client set ssh addignoreip 123.45.67.89

Bans

If you want to change how long an IP is banned for, the time interval to check for login attempt failures, or the maximum login attempt limit, then add and change the bantime, findtime and maxretry parameters.

Emails

If you want to setup email delivery of alerts from Fail2ban:

# ACTIONS

destemail = yourEmail@domain.com
sendername = Fail2Ban
sender = admin@server.com
mta = sendmail

Then add:

action = $(action_)s

where you replace action_ with either:

  • action_mw for email alerts
    or
  • action_mwl for w/ relevant log lines

Jail Configuration

Apart from those main settings, are the individual service settings, like for SSH. You can look through to see what services are filtered by default.

Failregexs - these are custom filters you can make with regular expression matches that scan log files for attempted intruders. I suggest you google more into this feature and regex to learn more if you want to. Regex is powerful.

This command will tell you if fail2ban is running:

sudo fail2ban-client status

Apart from status, there is also the stop and start command on the service, or restart to reload the configuration alone.

And then reload the changes made in the config file with:

sudo fail2ban-client reload

Done

That's it. Now if anyone tries to login to your ssh configured port, and fail to enter the password three times, their IP will be banned. If you didn't add your own IP to the configuration earlier, then you will also get banned if you fail to login after 3 attempts.


Recap summary:

sudo apt-get update
sudo apt-get -y install fail2ban sendmail
awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Add exemption for your IP (either add the lines or uncomment, and edit), and the email if you want to receive:

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89
destemail = yourEmail@domain.com
sendername = Fail2Ban
sender = admin@server.com
mta = sendmail

Reload and Done

sudo fail2ban-client reload
sudo fail2ban-client status

You should see:

krnel@steembuntu:~$ sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

If not, go back into the original /etc/fail2ban/jail.conf and add a line under the [ssh] section:

enabled = true

Then do this again:

sudo fail2ban-client reload
sudo fail2ban-client status

That should do it. If not, try to troubleshoot with the below section:



If that doesn't work... or for whatever reason you want only what you need in the file, put in all these values in a new config /etc/fail2ban/jail.local:

[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89
ignorecommand =
bantime  = 600
findtime  = 600
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s

Add your email if you want:

destemail = yourEmail@domain.com
sendername = Fail2Ban
sender = admin@server.com
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                 %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
                 
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]

action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]

action = %(action_mw)s
[sshd]
enabled  = true
port    = ssh
logpath = %(sshd_log)s

[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port    = ssh
logpath = %(sshd_log)s

If you want to enable jailing on individual services, for example in the [ssh] section, add that section to the jail.local file and add or uncomment the section as well.

Uncomment any section you want to have fail2ban enabled on, or copy and paste it at the end with the other additions, if that's what you already did.

Reload and Done

sudo fail2ban-client reload
sudo fail2ban-client status


Ok. That's it. The last section was only required if you want a cleaner file, with less filters running. You will have to add the filters you need as you need them though, since they won't be enabled by default any longer, such as HTTP for a web server fail2ban protection.

I hope the tutorial was of use to you.


Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.

Payout Selected


[References: 1, 2, 3]


If you appreciate and value the content, please consider:
Upvoting upvote91a69.png ,    Sharing share2195b.png and   Reblogging reblog33b5f.png below.

Follow me for more content to come!


@krnel
2016-12-04, 10am

H2
H3
H4
3 columns
2 columns
1 column
8 Comments