Security - Fail2Ban#
What is Fail2Ban#
extract from Fail2Ban website
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and readily configured to read any log file of your choosing for any error you wish.
Though Fail2Ban can reduce the rate of incorrect authentication attempts, it cannot eliminate the risk presented by weak authentication. Set up services to use only two factor or public/private authentication mechanisms if you want to really protect services.
Install and Default Configure#
Log into your server.
Update the server and install Fail2Ban.
sudo apt update
sudo apt upgrade
sudo apt install fail2ban
Check fail2ban has installed.
sudo systemctl status fail2ban
Example output.
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.se>
Active: active (running) since Fri 2021-11-26 0>
Docs: man:fail2ban(1)
Process: 636 ExecStartPre=/bin/mkdir -p /run/fai>
Main PID: 650 (f2b/server)
Tasks: 5 (limit: 1136)
Memory: 14.9M
CGroup: /system.slice/fail2ban.service
└─650 /usr/bin/python3 /usr/bin/fail2ba>
Check what fail2ban is doing for us.
sudo fail2ban-client status
Example output, showing 1 jail is in use and that is sshd. Monitoring sshd is a default setting fail2ban comes with out of the box.
Status
|- Number of jail: 1
`- Jail list: sshd
Move to the root users fail2ban config folder.
sudo cd etc/fail2ban/
sudo ls
Example output
action.d jail.d
fail2ban.conf paths-arch.conf
fail2ban.d paths-common.conf
filter.d paths-debian.conf
jail.conf paths-opensuse.conf
Copy jail.conf to jail.local. The local folder is the preferred way to configure fail2ban. The reason is that jail.conf may be overwriten during updates.
sudo cp jail.conf jail.local
Using your favourite text editor, you can inspect and edit jail.local to suit your configuration needs.
Under the JAILS section, items in [brackets] are options you can enable.
See line 291
as an example of an enabled option.
Everything below the bracketed option is the configuration for that option.
Line numbers are indicative and may be different in your editor.
272 # JAILS 273 # 274 275 # 276 # SSH servers 277 # 278 279 [sshd] 280 281 # To use more aggressive sshd modes set filter pa rameter "mode" in jail.local: 282 # normal (default), ddos, extra or aggressive (co mbines all). 283 # See "tests/files/logs/sshd" or "filter.d/sshd.c onf" for usage example and details. 284 #mode = normal 285 port = ssh 286 logpath = %(sshd_log)s 287 backend = %(sshd_backend)s 288 289 290 [dropbear] 291 enabled = true 292 port = ssh 293 logpath = %(dropbear_log)s 294 backend = %(dropbear_backend)s 295 296 297 [selinux-ssh] 298 299 port = ssh 300 logpath = %(auditd_log)s 301 302
Restart fail2ban.
sudo systemctl restart fail2ban
Check fail2ban status.
sudo fail2ban-client status
Example output after updating and saving jail.local, notice the new service
dropbear`
has been enabled in Jail list:
.
Status
|- Number of jail: 2
`- Jail list: dropbear, sshd
Inspect fail2ban log file.
sudo cat /var/log/fail2ban.log
Example output
--------------------------------------------------
2021-11-26 06:11:47,432 fail2ban.server [3089]: INFO Starting Fail2ban v0.11.1
2021-11-26 06:11:47,434 fail2ban.observer [3089]: INFO Observer start...
2021-11-26 06:11:47,439 fail2ban.database [3089]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2021-11-26 06:11:47,440 fail2ban.jail
2021-11-26 05:45:02,953 fail2ban.jail [2566]: INFO Jail 'dropbear' uses pyinotify {}
2021-11-26 05:45:02,957 fail2ban.jail [2566]: INFO Initiated 'pyinotify' backend
2021-11-26 05:45:02,963 fail2ban.filter [2566]: INFO maxRetry: 5
2021-11-26 05:45:02,963 fail2ban.filter [2566]: INFO findtime: 600
2021-11-26 05:45:02,964 fail2ban.actions [2566]: INFO banTime: 600
2021-11-26 05:45:02,964 fail2ban.filter [2566]: INFO encoding: UTF-8
Inspect fail2ban individual jail.
sudo fail2ban-client status sshd
Example output
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Further Reading#
Here is an excellent YouTube tutorial video on the subject.
LearnLinuxTV Securing your Cloud Server with Fail2Ban.