Fail2Ban - An intrusion prevention software

fail2ban

Concept :

fail2ban is a daemon that watches the log files of some configured services (sshd, httpd, VSFtpd, ...). Thanks to a set of filters, it can detect malicious activity and take some restrictive action (usually banning an IP temporarily).

Setup :

  1. Install fail2ban with your favorite package manager. This creates :
    • /etc/fail2ban/filter.d/ : directory containing the log parsing rules / filters
    • /etc/fail2ban/action.d : directory containing the actions that can be taken once a malicious activity has been detected
    • /etc/fail2ban/jail.conf : configuration of the services being monitored, called jails.
    • /etc/fail2ban/fail2ban.conf : logfile, verbosity, socket
    • /var/log/fail2ban.log : logs
  2. To configure fail2ban, start with : touch /etc/fail2ban/jail.local
  3. Then edit it (source) :
    • You can override any parameter from /etc/fail2ban/jail.conf
    • To disable a jail, don't comment it, just set it as enabled = false
    • See jail options
    [DEFAULT]
    ignoreip	= 127.0.0.1 123.45.67.89	# trusted IP addresses
    bantime		= 86400				# in seconds. '-1' means 'forever'
    destemail	= you@provider.com
    banaction	= iptables-multiport
    action		= %(action_mwl)s
    
    # JAILS
    [ssh]
    enabled		= true
    maxretry	= 3				# number of matches to trigger a ban
    port		= customPortNumber		# if different from default (22)
    findtime	= 60				# The match counter is reset if no match is found within "findtime" seconds.
    
    [pam-generic]
    enabled		= true
    banaction	= iptables-allports
    
    [ssh-ddos]
    enabled		= true
    
    [apache]
    enabled		= true
    
    [apache-noscript]
    enabled		= true
    port		= http,https
    banaction	= iptables-multiport
    action		= %(action_mwl)s
    
    [apache-overflows]
    enabled		= true
    
    [apache-badbots]
    enabled		= true
    port		= http,https
    filter		= apache-badbots
    banaction	= iptables-allports
    action		= %(action_mwl)s
    logpath		= /var/log/apache*/*access.log
    maxretry	= 1
    
    [apache-nohome]
    enabled		= true
    port		= http,https
    filter		= apache-nohome
    banaction	= iptables-multiport
    action		= %(action_mwl)s
    logpath		= /var/log/apache*/*access.log
    maxretry	= 1
    
    [php-url-fopen]
    enabled		= true
    port		= http,https
    filter		= php-url-fopen
    logpath		= /var/log/apache*/*access.log
    maxretry	= 1
    
    [exim]
    enabled		= true
    filter		= exim
    port		= smtp,ssmtp
    logpath		= /var/log/exim*/rejectlog
    maxretry	= 1
  4. When you're satisfied with your configuration :
    • fail2ban-client start
    • or service fail2ban reload
    • or any systemd-compliant way of doing this
    The fail2ban-client handles the start/stop of the fail2ban-server, so better not trying to start the server yourself (source)

Further commands :

Reload configuration :
fail2ban-client reload
List active jails :
fail2ban-client status
Status of a specific jail :
fail2ban-client status ssh may output :
Status for the jail: ssh
|- filter
|  |- File list:	/var/log/auth.log
|  |- Currently failed:	0
|  `- Total failed:	6
`- action
   |- Currently banned:	0
   |  `- IP list:
   `- Total banned:	1
Reset a specific jail (unban everybody) :
fail2ban-client reload ssh
List current NetFilter rules. They are dynamically added, and removed at restart / reload of fail2ban. Ban rules start with DROP.
iptables -L
Check regex results:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Unban a specific IP address
iptables -D fail2ban-chainName -s IP -j DROP
  • After system or fail2ban restart, all ban firewall rules will be cleared.
  • As it works by watching logs, fail2ban may eat CPU if some of the logs it monitors become too big.