fail2ban is a script monitoring the network accesses thanks to server logs.

When fail2ban detects replicated authentication errors, it retaliates by banning the IP address thanks to IPtables.

It allows to avoid many brute-force and/or dictionary attacks.

Fail2Ban relies on a jail system that we can define, activate or deactivate in a simple configuration file (/etc/fail2ban/jail.conf).


Installation

The installation operates via the following command :

apt-get install fail2ban

Configuration

The configuration operates from the following file :

vi /etc/fail2ban/fail2ban.conf

Level of details of logs (default 3)

Path towards the log file (Description of the actions taken by fail2ban)

The services to monitor are stored in jail.conf
It is advised to operate a copy called jail.local that will be automatically used instead of the example file for example.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Several global parameters :

List of the trusted IP address to ignore by Fail2ban

Time of ban in seconds

Authorized number of attempts for a connection before being banned

Destination email address of notifications

Action to take in case of positive detection (see in /etc/fail2ban/action.d/)

Each section has its own parameters that prevail over the global ones if they are mentioned :

Monitoring activated (true) or no (false)

See above

Concerned IP port

Log file to analyze to detect anomalies

Filter used for the log’s analyse

The default filters are stored in /etc/fail2ban/filter.d. Generally, they have a failregex instruction followed by a regular expression matching a detection of a false authentication.

For exemple for the Courier service :

failregex = LOGIN FAILED, ip=[<HOST>]$

Note : This one can be directly specified in jail.local to the appropriate section to take precedence over the filter directive.

Example of a configuration for a jail ssh :

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables-allports{name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log.auth.log
maxretry = 7
bantime  = 1800
ignoreip = 85.31.192.0/26 85.31.193.0/26

You can also change the port if necessary :

enabled = true
port    = 2222

Once the modifications operated, fail2ban must be restarted :

/etc/init.d/fail2ban restart

To list the banned IP addresses :

iptables -L -n -v

We can notice 3 blocked IP in the example below :

Chain fail2ban-SSH (1 references)
pkts  bytes target    prot opt in   out     source          destination
26    1848  REJECT    all  --  *    *   113.195.145.13      0.0.0.0/0       reject-with icmp-port-unreachable
9     468   REJECT    all  --  *    *   112.101.136.48      0.0.0.0/0       reject-with icmp-port-unreachable
54    3560  REJECT    all  --  *    *   116.31.116.45       0.0.0.0/0       reject-with icmp-port-unreachable
8270K 3035M RETURN    all  --  *    *    0.0.0.0/0      0.0.0.0/0

Fail2ban-client

This commande allows to perform a large number of actions such as changing the loglevel, unbanning an IP, changing a regex, and all of it on the fly. Nonetheless the modifications can not be safeguarded if they are not added in the configuration files. In case of restart of the service or server, you can lose your manipulations. It remains a great tool to debug and perform a quick action.

Example of an IP débat without restart (it means keeping the rest of IP blocked) : ssh-iptables being the jail’s name

fail2ban-client set ssh-iptables unbanip 113.195.145.13