Debianhelp.co.uk
Blocking brute force attacks under Linux Using fail2ban

What is Fail2ban ?

Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily bans failure-prone addresses by updating existing firewall rules. Currently, by default, supports ssh/apache but configuration can be easily extended for scanning the other ASCII log files. Firewall rules are given in the config file, thus it can be adopted to be used with a variety of firewalls (e.g. iptables, ipfwadm).

Fail2ban Requirements

In order to run Fail2ban, you need:

Python >=2.3

Log4py (not needed with >=fail2ban-0.5.2)

You will also need

Netfilter/Iptables

Fail2ban features

Highly configurable.

Parses log files and looks for given patterns.

Executes a command when a pattern has be detected for the same IP address for more than X times. X can be changed.

After a given amount of time, executes another command in order to unban the IP address.

Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) or others firewalls.

Handles log files rotation.

Can handle more than one service (sshd, apache, vsftpd, etc).

Resolves DNS hostname to IP address.

Can send e-mail notifications.

Runs as a daemon.

Multiple logging targets (syslog daemon, stdout, stderr, files).

Download Fail2ban

http://fail2ban.sourceforge.net/wiki/index.php/Downloads

Fail2ban FAQ

http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english


Install Fail2ban in Debian

Currently this package is available in unstable version you need to add the unstable source list for your /etc/apt/sources.list like below and save the file

deb http://mirror.ox.ac.uk/debian/ unstable main
deb-src http://mirror.ox.ac.uk/debian/ unstable main

Now you need to run the following commands

#apt-get update

#apt-get install fail2ban

This will install all the dependencies you might not have on the system (python, iptables, lsb-base).

Once installed, it will be started automatically. The configuration file is located in /etc/fail2ban.conf. It will enable by default the protection against SSH brute force attacks. The configuration file contains each available parameter excellently commented and that should be the only documentation you will need for fail2ban.

You need to change the following parameters in /etc/fail2ban.conf file

[DEFAULT]

maxfailures = number of failures before IP gets banned. Defaults to 5. I like to lower this to 3

maxfailures = 3

bantime = number of seconds an IP will be banned. If set to a negative value, IP will never be unbanned (permanent banning). Defaults to 600 (10 min).

bantime = -1

ignoreip = space separated list of IP’s to be ignored by fail2ban. No default. I like to add my own static management ips here just in case…

ignoreip = 172.18.0.1

All fail2ban actions are logged and can be reviewed. The log file is defined using:

logtargets = /var/log/fail2ban.log

The SSH section works perfectly out of the box being aware of Debian log files names, etc:

[SSH]
enabled = true
logfile = /var/log/auth.log
port = ssh
timeregex = S{3}s{1,2}d{1,2} d{2}:d{2}:d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : (?:(?:Authentication failure|Failed [-/w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?PS*)

Here we can see the log file fail2ban will monitor for SSH attacks (/var/log/auth.log), the port that will be used to block the hosts (they will still be able to communicate with other protocols with our host even after ssh blocking) and also the regular expressions that will trigger fail2ban.

Besides the SSH section that is enabled by default the configuration file contains other usable sections for other programs (you just have to enable them as they default to disabled): SASL, Apache, Apache Attacks, VSFTPD, PROFTPD. This can also be the starting point for writing your own rules targeted for any program you might need.

Here are the iptables definitions that will actually block the offending hosts:

fwchain = INPUT
fwstart = iptables -N fail2ban-%(__name__)s
iptables -A fail2ban-%(__name__)s -j RETURN
iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
iptables -F fail2ban-%(__name__)s
iptables -X fail2ban-%(__name__)s
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s
fwban = iptables -I fail2ban-%(__name__)s 1 -s -j DROP
fwunban = iptables -D fail2ban-%(__name__)s -s -j DROP

fwstart will create when starting the program for each of the defined active sections a different iptables chain. This will be called fail2ban-(name_of_section), for ex: fail2ban-SSH, fail2ban-VSFTPD, etc.

iptables -L -n
Chain INPUT (policy ACCEPT)
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
Chain fail2ban-SSH (1 references)
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

On program exit these chains are deleted. There is no persistence in fail2ban. If for any reason the program is restarted it will rescan the log files for failed attempts (only events newer then findtime - def 600) and it will add them to the active list. This is not at all a big limitation and  you are aware that if you restart the program you will start fresh.The action that is taken when a host is banned will just add a new iptables rule in the program chain that will drop the traffic for the attacker.