Blocking brute force attacks under Linux Using fail2ban
What is Fail2ban ?
Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily bans failure-prone addresses by updating existing firewall rules. Currently, by default, supports ssh/apache but configuration can be easily extended for scanning the other ASCII log files. Firewall rules are given in the config file, thus it can be adopted to be used with a variety of firewalls (e.g. iptables, ipfwadm).
In order to run Fail2ban, you need:
Log4py (not needed with >=fail2ban-0.5.2)
You will also need
Parses log files and looks for given patterns.
Executes a command when a pattern has be detected for the same IP address for more than X times. X can be changed.
After a given amount of time, executes another command in order to unban the IP address.
Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) or others firewalls.
Handles log files rotation.
Can handle more than one service (sshd, apache, vsftpd, etc).
Currently this package is available in unstable version you need to add the unstable source list for your /etc/apt/sources.list like below and save the file
deb http://mirror.ox.ac.uk/debian/ unstable main
deb-src http://mirror.ox.ac.uk/debian/ unstable main
Now you need to run the following commands
#apt-get install fail2ban
This will install all the dependencies you might not have on the system (python, iptables, lsb-base).
Once installed, it will be started automatically. The configuration file is located in /etc/fail2ban.conf. It will enable by default the protection against SSH brute force attacks. The configuration file contains each available parameter excellently commented and that should be the only documentation you will need for fail2ban.
You need to change the following parameters in /etc/fail2ban.conf file
maxfailures = number of failures before IP gets banned. Defaults to 5. I like to lower this to 3
maxfailures = 3
bantime = number of seconds an IP will be banned. If set to a negative value, IP will never be unbanned (permanent banning). Defaults to 600 (10 min).
bantime = -1
ignoreip = space separated list of IPís to be ignored by fail2ban. No default. I like to add my own static management ips here just in caseÖ
ignoreip = 172.18.0.1
All fail2ban actions are logged and can be reviewed. The log file is defined using:
logtargets = /var/log/fail2ban.log
The SSH section works perfectly out of the box being aware of Debian log files names, etc:
Here we can see the log file fail2ban will monitor for SSH attacks (/var/log/auth.log), the port that will be used to block the hosts (they will still be able to communicate with other protocols with our host even after ssh blocking) and also the regular expressions that will trigger fail2ban.
Besides the SSH section that is enabled by default the configuration file contains other usable sections for other programs (you just have to enable them as they default to disabled): SASL, Apache, Apache Attacks, VSFTPD, PROFTPD. This can also be the starting point for writing your own rules targeted for any program you might need.
Here are the iptables definitions that will actually block the offending hosts:
fwstart will create when starting the program for each of the defined active sections a different iptables chain. This will be called fail2ban-(name_of_section), for ex: fail2ban-SSH, fail2ban-VSFTPD, etc.
On program exit these chains are deleted. There is no persistence in fail2ban. If for any reason the program is restarted it will rescan the log files for failed attempts (only events newer then findtime - def 600) and it will add them to the active list. This is not at all a big limitation and you are aware that if you restart the program you will start fresh.The action that is taken when a host is banned will just add a new iptables rule in the program chain that will drop the traffic for the attacker.