In this guide, we’ll cover how to install and use Fail2ban.

Fail2Ban is a free and open source intrusion prevention software tool written in the Python programming language that can be used to protects servers from different kinds of attacks. Fail2Ban works by continuously monitoring various logs files (Apache, SSH) and running scripts based on them. Mostly it is used to block IP addresses that are trying to breach the system’s security. It can be used to block any IP address that are trying to make many illegitimate login attempts. Fail2Ban is set up to block malicious IP address within a time limit defined by administrator. Fail2Ban can be configured to send email notifications when someone’s attacking your server. Main purpose of Fail2ban is to scans log files for various services, such as SSH, FTP, SMTP, Apache and block the IP address that makes too many password failures.

Install Fail2ban on CentOS 7

# yum update && yum install epel-release
# yum install fail2ban

# systemctl enable fail2ban

Install Fail2ban on Debian/Ubuntu

# apt-get update && apt-get upgrade -y

# apt-get install fail2ban

Configuring Fail2ban for SSH

By default Fail2ban keeps all the configuration files in /etc/fail2ban/ directory. The main configuration file is jail.conf, it contains a set of pre-defined filters. It is recommended that you should not modify jail.conf itself, but override it by creating a new configuration file jail.local inside /etc/fail2ban/ directory.

To enable the SSH daemon jail, uncomment the following lines:

# nano /etc/fail2ban/jail.local 

[sshd] enabled = true

To ignore specific IPs, add them to the ignoreip line. By default, this command will not ban the localhost.

bantime: The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent. The default value of 600 is set to ban an IP for a 10-minute duration.

findtime: The length of time between login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after five (5) failed log-in attempts, those 5 attempts must occur within the set 10-minute findtime limit. The findtime value should be a set number of seconds.

maxretry: How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3.

# nano /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89
bantime = 600 findtime = 600 maxretry = 3

Fail2Ban for Apache/Nginx Web Server

As you can see, this method will work for any server you have in front of your real web server, or to the actual web server itself, actually this will mainly protect your port 80.

Edit your /etc/fail2ban/jail.conf file and add this section:

# nano /etc/fail2ban/jail.conf

[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/*web_server*/*access.log maxretry = 300 findtime = 300 #ban for 5 minutes bantime = 600 action = iptables[name=HTTP, port=http, protocol=tcp]

Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:

# nano /etc/fail2ban/filter.d/http-get-dos.conf

# Fail2Ban configuration file [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. failregex = ^<HOST> -.*"(GET|POST).* # Option: ignoreregex ignoreregex =

Save the file and restart the fail2ban service:

# systemctl restart fail2ban

You can view the rules added by Fail2Ban using the following command:

# iptables -L

You should now be able to configure some basic banning policies for your services. Fail2ban is very easy to set up, and is a great way to protect any kind of service that uses authentication.

 

Tagged: