Vpire Blog
Good Team Plays Hard
Preventing Brute Force Attacks With Fail2ban On Fedora 9
In: Ubuntu or Linux
21 Nov 2008Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.
1 Preliminary Note
Fail2ban is similar to DenyHosts, but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use iptables and /etc/hosts.deny.
I will install the fail2ban package that is available for Fedora 9. It comes with a default configuration, but unfortunately that configuration doesn’t quite work for most of the aforementioned services. Therefore I will create a customized fail2ban configuration that I have tested and that works for me.
2 Installing fail2ban
Fail2ban can be installed as follows:
yum install fail2ban
Then we must create the system startup links for fail2ban and start it:
chkconfig –levels 235 fail2ban on
/etc/init.d/fail2ban start
You will find all fail2ban configuration files in the /etc/fail2ban directory.
3 Configuring fail2ban
The default behaviour of fail2ban is configured in the file /etc/fail2ban/jail.conf. Take a look at it, it’s not hard to understand. There’s a [DEFAULT] section that applies to all other sections unless the default options are overriden in the other sections.
I explain some of the configuration options here:
- ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban. For example, if the computer from which you’re connecting to the server has a static IP address, you might want to list it here.
- bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
- maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
- filter: Refers to the appropriate filter file in /etc/fail2ban/filter.d.
- action: Refers to the appropriate action file in /etc/fail2ban/action.d.
- logpath: The log file that fail2ban checks for failed login attempts.
This is what my /etc/fail2ban/jail.conf file looks like:
vi /etc/fail2ban/jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.99
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath = /var/log/secure
maxretry = 6
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@mail.com]
logpath = /var/log/maillog
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/*error_log
maxretry = 6
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/maillog
bantime = 300
[courierpop3]
enabled = true
port = pop3
filter = courierlogin
action = iptables[name=%(__name__)s, port=%(port)s]
logpath = /var/log/maillog
maxretry = 5
[courierimap]
enabled = true
port = imap2
filter = courierlogin
action = iptables[name=%(__name__)s, port=%(port)s]
logpath = /var/log/maillog
maxretry = 5
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath = /var/log/secure
[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/secure
maxretry = 5
bantime = 1800
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/secure
maxretry = 5
bantime = 1800
[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath = /var/log/httpd/*access_log
bantime = 172800
maxretry = 1
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Apache, dest=you@mail.com]
logpath = /var/log/httpd/error_log
[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath = /var/log/secure
ignoreip = 168.192.0.1
[named-refused-udp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/secure
ignoreip = 168.192.0.1
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/secure
ignoreip = 168.192.0.1
|
My client computer has the static IP address 192.168.0.99, and because I don’t want to be locked out, I’ve added it to the ignoreip list.
I want to control login attempts to SSH, Apache, Proftpd, Courier-POP3, Courier-IMAP, and Sasl, so I’ve set enabled to true for these services and to false for all other services. Please note that some services such as SSH can be blocked either by iptables or by TCPWrappers (/etc/hosts.deny). Decide for yourself which method you prefer.
Make sure to replace the email address you@mail.com with your own email address so that you get notified when someone gets blocked by fail2ban.
If you compare the file with the default /etc/fail2ban/jail.conf, you’ll also notice that I’ve changed some log files because the log files in the default /etc/fail2ban/jail.conf are not correct for Fedora 9.
Whenever we modify the fail2ban configuration, we must restart fail2ban, so this is what we do now:
/etc/init.d/fail2ban restart
That’s it already. Fail2ban logs to /var/log/fail2ban.log, so you can check that file to find out if/what hosts got blocked. If a host got blocked by fail2ban, it looks like this:
2008-08-08 17:49:09,466 fail2ban.actions: WARNING [apache-tcpwrapper] Ban 1.2.3.4
2008-08-08 18:08:33,213 fail2ban.actions: WARNING [sasl-iptables] Ban 1.2.3.4
2008-08-08 18:26:37,769 fail2ban.actions: WARNING [courierlogin] Ban 1.2.3.4
2008-08-08 18:39:06,765 fail2ban.actions: WARNING [courierimap] Ban 1.2.3.4
You can also check your firewall to see if any hosts are currently blocked. Simply run
iptables -L
For services that use TCPWrappers to block hosts, take a look at /etc/hosts.deny.
- Tags: Linux
Comment Form
About this blog
This is a place I create just for fun and to write down some experience and notes for myself. So feel free to enjoy and drop any comments you have. I had been employed as Programmer, System Analysts, System Administrator, DBA and Project Manager. I will share some of my case study here as well. Enjoy!
Categories
- Delicious Food (49)
- Recipes (15)
- Ebooks (1)
- Gadget News (52)
- HTC (6)
- Leisure (47)
- Microsoft Windows (5)
- MS SQL (12)
- MySQL (14)
- Oracle (54)
- Photography (10)
- Travel (11)
- Ubuntu or Linux (70)
Archives
- July 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- mike: thank you so much. it helped solve my error. :) [...]
- Wyatt Richardson: I'm pretty much impressed with the stability of Windows 7. It is better than windows Vista which hog [...]
- Ellie Hughes: Playstation is the best gaming console that i have owned. Me and my brother are addicted in playing [...]
- Eric Patterson: I have tried using Chrome OS in one of my desktop PC's, the overall performance is above average to [...]
- Marc Henessy: i installed Chrome OS on two of my netbooks. the Chrome OS works great and its loading time [...]
- Enable Gzip in WP-Cache2
- Atbroker.exe “application failed to initialize properly” on remote desktop to Windows 7
- VMWare Ubuntu 10.04 Cannot Use Keyboard
- Taking MSSQL Database Offline and Online Using T-SQL
- Problem with Outlook.pst
- Microsoft SQL Server T-SQL Cheat Sheet
- Murakami Yuri 村上友梨 Photoshoot
- Introduction to Rollup Clause
- Install Webshot on Ubuntu with Wine
- Nokia X6 Launch at Hong Kong