7. Install Fail2ban

by Cover Tower - Updated March 14, 2021

Any login page that is publicly accessible can be the target of intense brute-force attacks. If you look to the access logs of different applications you will notice numerous failed log in attempts. To solve this problem, Fail2ban constantly monitors logs and bans IPs with a certain number of failed log in attempts in a specified time interval. Fail2ban has proved to be an indispensable tool in the fight against brute-force attacks.

To install Fail2ban run:

apt-get install fail2ban

The default Fail2ban configuration file is /etc/fail2ban/jail.conf. However, the configuration changes shouldn’t be made in this file because it can be modified during package upgrade and all the changes can be lost. You will need to copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and make all the necessary changes in jail.local.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Many services/applications that may need protection are already mentioned in this file. Each one has its own section but is not enabled by default. To enable protection for a service/application, you have to include the enabled = true directive in its block. A Fail2ban filter is a file containing the regular expressions used by Fail2ban to detect failed log in attempts in the log files. An action is a command that is executed when Fail2ban detects an abusive IP address. The combination between a filter and one or more actions is called a ‘jail’.

Open the new Fail2ban configuration file for editing:

nano /etc/fail2ban/jail.local

In the [DEFAULT] section you will find basic settings that are applied to all the enabled applications, in case they are not overridden in the applications’ individual blocks. Under [DEFAULT] , change the following settings, to make them look like this:

[DEFAULT]


ignoreip = 127.0.0.1/8 ::1


bantime =86400

findtime = 960

maxretry = 4

ignoreip – the list of IPs separated by space, that Fail2ban will not ban.

bantime the number of seconds that a IPs will be banned for if they try to brute-force any of the enabled applications. A reasonable value for bantime is 86400 (24 hours).

maxretry – the number of failed log in attempts, until an IP is banned for the length of the ban time. A reasonable value for this parameter is 4.

findtime the time interval in seconds, during which the failed log in attempts can take place. If an IP attempts to log in and fails, the number of times specified in maxretry during the findtime period,it will be banned.For example, if the maxretry is 4 and the findtime is 960 seconds, it means that when a host with a certain IP tries to log in fraudulently and fails 4 times during a period of 960 seconds, it will be banned. A possible value for this parameter is 960 (16 minutes).

Also change the following parameters to make them look like this:

destemail = admin@example.com

sender = fail2ban@example.com

mta = sendmail

chain = INPUT

Where example.com is the main domain hosted on your server.

7.1. Configure the SSHsection

Change the [sshd] section to make it look like this:

[sshd]

enabled = true

port = 6283,22

filter = sshd

logpath = /var/log/auth.log

findtime = 960

maxretry = 4

bantime = 86400

Replace 6283 with your custom SSH port. A description of each parameter follows.

enabled = true means that SSH protection is on. You can turn it off with enabled = false

port = 6283,22 defines which ports will Fail2ban listen to for the current service/application.


filter = sshd refers to the name of the configuration file containing the regular expressions that Fail2ban will use in order to detect the failed log in attempts in the log files. The conf extension of the configuration file is removed. Thus, filter = sshd means that the filter file is the /etc/fail2ban/filter.d/sshd.conf file.


logpath = /var/log/auth.log specifies the path to the log file that will be monitored for the current service/application.


findtime = 960 means that if during a period of 960 seconds an IP has the number of failed log in attempts specified in the maxretry parameter, it will be blocked.

maxretry = 4 specifies that after 4 failed log in attempts during the findtime period, an IP will be blocked.

bantime = 86400 means that every banned IP will be banned for 86400 seconds (24 hours).

Restart Fail2ban:

systemctl restart fail2ban

You can see the rules that Fail2ban sets within the iptables by running:

iptables -L


To see the overall status of the Fail2ban jails, run:

fail2ban-client status

You can also see the status of a specific jail by running:

fail2ban-client status nameofjail

For example:

fail2ban-client status sshd

7.2. Manually unban IPsbanned by Fail2ban

If for some reason you want to unban an IP that has been banned by Fail2ban, use the following command:

fail2ban-client set nameofjail unbanip 100.100.100.100

For example, to manually unban the IP 111.111.111.111 that has been banned according to the [sshd] jail, run:

fail2ban-client set sshd unbanip 111.111.111.111

7.3. Manually ban IPs using Fail2ban

If, on the contrary, you want to manually ban an IP and assign the ban to the [sshd] jail, run:

fail2ban-client set sshd banip 104.104.104.104

Please note that although when a default bantime is set, it’s not necessary to specify a bantime for each jail, you should include the bantime parameter in every enabled jail, because it is needed by ‘System Health and Security Probe’, which we’ll describe later.

In conclusion, the following settings should be present in the /etc/fail2ban/jail.local file:

ignoreip = 127.0.0.1/8 ::1

bantime = 86400

findtime = 960

maxretry = 4

destemail = admin@example.com

sender = fail2ban@example.com

mta = sendmail

chain = INPUT

[sshd]

enabled = true

port = 6283,22

filter = sshd

logpath = /var/log/auth.log

findtime = 960

maxretry = 4

bantime = 86400

7.4. Configure logrotate to rotate the Fail2ban logs

To make the Fail2ban log rotation happen only after the current log file has reached a certain size, you’ll have to edit the /etc/logrotate.d/fail2ban file:

nano /etc/logrotate.d/fail2ban

Remove the weekly parameter, set rotate to 15 in order to have more archived logs available to search for past failed log in attempts, and add the size 2M line, like below:

/var/log/fail2ban.log {

rotate 15

compress

delaycompress

missingok

size 2M

postrotate

fail2ban-client flushlogs 1>/dev/null

endscript

create 640 root adm

}

The above settings are important for ‘System Health and Security Probe’ in order to analyze Fail2ban logs, to detect IPs with failed log in attempts against different services.

7.5. Create a script to display all the banned IPs, by jail

To be able to see a list of all the IPs that have been blocked by Fail2ban and their corresponding jails at any moment, you can create a small script by running:

mkdir /srv/scripts

cd /srv/scripts

nano bannedip

Add the following content to this file:

#! /bin/bash

fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”

Make the script executable:

chmod 700 bannedip

From now on, when you want to see the list with all the IPs that have been banned by Fail2ban, you can run:

/srv/scripts/bannedip