fail2ban - Free of dictionary attacksFollow @ggarron
Starting this year I posted about DenyHosts, which is a must have tool to avoid dictionary attacks to port 22 (ssh).
This kind of tools are really needed by sysadmins because the normal user refuse to make strong password, If the admin gives them a strong password, they will write it down, and then it stops being "strong", If the admin tells the normal users, they need to remember their passwords and not to write them down, they will come with weak passwords like their son's name, looking for new ways to secure the servers against dictionary attacks or brute force attacks, I have found this other tool that can do the job, I think this one is more flexible than DenyHosts, and also it works with Iptables.
Well lets start, telling the options of fail2ban and its features.
It works by parsing logs files and thus finding failure attempts to log into the system, via a lot of possible protocols, and then acting to block the IP of the offending machine for the time you may configure, and using a lot of ways to achieve that.
It can block using:
I will only talk here about Iptables which is the one I understand better.
fail2ban is actually two programs, a server and a client, while the server performs the actions of banning the IPs, the client is the one who reads the configurations files and parses the log files to instruct the server what to do.
Debian / ubuntu
apt-get install fail2ban
Gentoo / Sabayon
Once installed there is the need of configuring it before making it run.
Fail2ban has two main configuration files called /etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.com
Usually you will only need to change jail.conf
Jail.conf is divided by sections
[default] Where all default options should go, all of them could be overwritten by the options written under the individual jails on this file
The options are:
- Defines whether or not a given section is enabled or nor, its possible values are:
- This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:
- This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.
- With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:
- Fedora -> /var/log/secure
- CentOS -> /var/log/secure
- Debian -> /var/log/auth
- Ubuntu -> /var/log/auth
- Sabayon -> /var/log/messages
- This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care
- This option is used to set the limit of retries a user have before he gets blocked
- This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends
- Use this option to set the email of the person who should receive alerts when an IP is banned
- Use this option to instruct with action will be taking in order to ban an offending IP. ie:
- iptables --- To use Iptables in order to ban the offending IP
- iptables-new --- To ban only new connections
- iptables-multiport --- To ban all ports from the offending IP
- shorewall --- To use Shorewall instead of Iptables
- Set here the default protocol to ban, TCP or UDP
Lets put an example to secure ssh access.
Example of /etc/fail2ban/fail2ban.conf
[Definition] loglevel = 3 # 1=Error, 2=Warn, 3=Info, 4=Debug logtarget = /var/log/fail2ban.log socket = /var/run/fail2ban.sock
Now lets go with the /etc/fail2ban/jail.conf
[DEFAULT] ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 backend = polling destemail = root@localhost banaction = iptables-multiport mta = sendmail protocol = tcp action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] action = %(action_)s # JAILS [ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 6 [apache] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6
With these files we will have ssh enabled and secured, you see also here the configuration for apache, but it is disable.
to turn the service on run: