Blocking brute force
attacks under Linux Using fail2ban
What is Fail2ban ?
Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log,
/var/log/apache/access.log) and temporarily bans failure-prone
addresses by updating existing firewall rules. Currently, by
default, supports ssh/apache but configuration can be easily
extended for scanning the other ASCII log files. Firewall rules
are given in the config file, thus it can be adopted to be used
with a variety of firewalls (e.g. iptables, ipfwadm).
In order to run Fail2ban, you need:
Log4py (not needed with >=fail2ban-0.5.2)
You will also need
Parses log files and looks for given patterns.
Executes a command when a pattern has be detected for the same
IP address for more than X times. X can be changed.
After a given amount of time, executes another command in order
to unban the IP address.
Uses Netfilter/Iptables by default but can also use TCP Wrapper
(/etc/hosts.deny) or others firewalls.
Handles log files rotation.
Can handle more than one service (sshd, apache, vsftpd, etc).
Currently this package is available in unstable version you need
to add the unstable source list for your /etc/apt/sources.list
like below and save the file
deb http://mirror.ox.ac.uk/debian/ unstable main
deb-src http://mirror.ox.ac.uk/debian/ unstable main
Now you need to run the following commands
#apt-get install fail2ban
This will install all the dependencies you might not have on the
system (python, iptables, lsb-base).
Once installed, it will be started automatically. The
configuration file is located in /etc/fail2ban.conf. It will
enable by default the protection against SSH brute force
attacks. The configuration file contains each available
parameter excellently commented and that should be the only
documentation you will need for fail2ban.
You need to change the following parameters in
maxfailures = number of failures before IP gets banned. Defaults
to 5. I like to lower this to 3
maxfailures = 3
bantime = number of seconds an IP will be banned. If set to a
negative value, IP will never be unbanned (permanent banning).
Defaults to 600 (10 min).
bantime = -1
ignoreip = space separated list of IPís to be ignored by
fail2ban. No default. I like to add my own static management ips
here just in caseÖ
ignoreip = 172.18.0.1
All fail2ban actions are logged and can be reviewed. The log
file is defined using:
logtargets = /var/log/fail2ban.log
The SSH section works perfectly out of the box being aware of
Debian log files names, etc:
Here we can see the log file fail2ban will monitor for SSH
attacks (/var/log/auth.log), the port that will be used to block
the hosts (they will still be able to communicate with other
protocols with our host even after ssh blocking) and also the
regular expressions that will trigger fail2ban.
Besides the SSH section that is enabled by default the
configuration file contains other usable sections for other
programs (you just have to enable them as they default to
disabled): SASL, Apache, Apache Attacks, VSFTPD, PROFTPD. This
can also be the starting point for writing your own rules
targeted for any program you might need.
Here are the iptables definitions that will actually block the
fwstart will create when starting the program for each of the
defined active sections a different iptables chain. This will be
called fail2ban-(name_of_section), for ex: fail2ban-SSH,
On program exit these chains are deleted. There is no
persistence in fail2ban. If for any reason the program is
restarted it will rescan the log files for failed attempts (only
events newer then findtime - def 600) and it will add them to
the active list. This is not at all a big limitation and you
are aware that if you restart the program you will start
fresh.The action that is taken when a host is banned will just
add a new iptables rule in the program chain that will drop the
traffic for the attacker.