One of the most common form of attack that people face on the internet is brute-force attack. In brute-force attack, the attacker never tries to decrypt an encrypted password, but he tries a random list (or say a dictionary of possible passwords) against a service that he wants to crack.

Say for example, you have an application that relies on password based authentication only, also you need your application to be accessible from anywhere in the internet(due to this reason, you cannot allow a series of source addresses and block the rest).

If you want to understand the seriousness of this very issue, keep a test server with ssh port 22 open to the world. And you will start seeing a lot of login-failure attempt inside ssh logs (/var/log/secure). Majority of the times, the attempts will be from same source addresses.

Imagine if we had a linux application that can continuously keep a watch of our required application logs, and block malicious source addresses based on failed login attempts. This is exactly what fail2ban does for securing your Linux Server.

Few Things to note about fail2ban are mentioned below.

  • Fail2ban blocks the source address using the regular linux firewall like iptables.
  • You can also configure fail2ban to send alert emails to you on each block
  • You can specify the amount of time you want the malicious source address to be kept blocked.
  • You can also specify a list of source addresses in fail2ban configuration to be ignored.

How to Install fail2ban package in Ubuntu?

Installing fail2ban in Ubuntu is really simple. Its just an apt-get install command away.

#sudo apt-get update

#sudo apt-get install fail2ban

How to Install fail2ban package in Centos?

As fail2ban package is not by default available in Centos yum repository, the first step that we need to do is to install EPEL yum repository. Which is quite simple (as shown below)

Centos 6:

#sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

#sudo yum install fail2ban

Centos 7: For centos 7 the epel repository is different, which can be installed as shown below.

#sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm

#sudo yum install fail2ban

How to configure fail2ban?

The first step while configuring fail2ban is to copy an example configuration file to another file, so that fail2ban can use it.

#sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The initial section of the configuration file consists of the below settings.

[DEFAULT]

ignoreip = 127.0.0.1/8

bantime  = 600

findtime = 600

maxretry = 3

As mentioned earlier, the first “ignoreip” setting lets you define a set of ip addresses or CIDR form subnets that won’t be blocked(you can specify multiple addresses and CIDRs separated by space)

“bantime”, is the number of seconds that a particular source address will be blocked.

“findtime” defines the amount of time in seconds a particular source address completes “maxretry” attempts to be considered for block.

In our example configuration above, if a source address fails to authenticate 3 times in 10 minutes, then it will be blocked.

destemail = root@localhost

sendername = Fail2Ban

mta = sendmail

The above settings are pretty straight forward as well. As mentioned earlier, you can configure fail2ban to send email alerts on each block. The above parameters in the config file defines the email settings for sending alerts. “destemail” defines the target email address where the alert should be sent. “sendername” defines the “From” field of the email that goes out as alerts. And “mta” ofcourse defines the mail server type.

Then comes the “action” section. This section defines the kind of action that fail2ban will take on finding an offending ip.

action = %(action_)s

The default above action setting is to only block. You can change the above to the below for sending an email report with the source address that was blocked, along with whois report of the ip address being blocked.

action = %(action_mw)s

However, using the below line for default action instead will also send relevant log lines as well.

action = %(action_mwl)s

The comes different sections for different services. Like SSH, FTP, HTTP, MAIL, etc.

By default only SSH section is enabled in fail2ban configuration (shown below)

[ssh]

enabled  = true

port     = ssh

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 6

Note the “enabled = true” option. Also logpath defines the log file of ssh which fail2ban will be monitoring for catching malicious login attempts.

You might be thinking that how does fail2ban detect and identify failure messages from log files for blocking the malicious sources. This is actually done by different regular expressions that fail2ban will be looking for in the log files to be considered as bad.

For each and every service, there is a set of regular expressions that fail2ban will be looking for. Let’s say for example the below log message from ssh log indicate a failure login attempt.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=

Which clearly matches the regular expressions defined for ssh in fail2ban configuration file (“/etc/fail2ban/filter.d/sshd.conf”

).  There are different regular expressions defined for different services under /etc/fail2ban/filter.d directory.

You can pretty much configure all standard services to be monitored by fail2ban. Like Apache, Nginx etc.

Once you have updated the required service specific section in fail2ban configuration, you can simply restart the service for changes to take effect.

Make sure that the services that you have enabled in jail.local, has relevant log file present, else it will throw the below error during restart.

 * Restarting authentication failure monitor fail2ban                                                                                        ERROR  No file(s) found for glob /var/log/apache*/*error.log

ERROR  Failed during configuration: Have not found any log file for apache jail                                                                                                                                      [fail]

You can restart fail2ban as shown below.

Centos 6:

service fail2ban restart

Centos 7:

systemctl restart fail2ban.service

Ubuntu:

service fail2ban restart

Once restarted, you should be able to see some new iptable chains as shown below(you can see them using “#iptables -L” command).

Chain fail2ban-apache (1 references)

    target     prot opt source               destination        

    RETURN     all  —  anywhere             anywhere     

Chain fail2ban-nginx-http-auth (1 references)

    target     prot opt source               destination        

    RETURN     all  —  anywhere             anywhere           

Chain fail2ban-ssh (1 references)

    target     prot opt source               destination        

    RETURN     all  —  anywhere             anywhere         

If you want to test this, you can simply purposely try wrong password to authenticate to this server’s ssh server (once you cross the 3 attempts, we defined in jail.local, that source address will be blocked, and you will be able to see an iptable rule that looks something like the below.)

REJECT     all  —  222.186.21.234       anywhere            reject-with icmp-port-unreachable

The above rule will be inside fail2ban-SSH iptable chain.  Hope this article was helpful in understanding fail2ban and getting it configured in Linux.