Get started with Fail2Ban

Sun 23 November 2014

Get started with Fail2Ban on Centos 7. When you are done reading this article you will have the software installed, and a configuration that helps preventing bruteforce attacks on your ssh port.

Introduction

Fail2Ban operates with some terms that we need to clarify before we start:

  • filter - a filter defines a regular expression which must match a pattern corresponding to a log-in failure or any other expression
  • action - an action defines several commands which are executed at different moments
  • jail - a jail is a combination of one filter and one or several actions. Fail2ban can handle several jails at the same time
  • client - refers to the script fail2ban-client
  • server - refers to the script fail2ban-server

Configuration is found in the /etc/fail2ban folder where you can find a lot of folders and .conf files. If you want to make changes you should create a .local file and do the changes in that file instead of the original. This will preserve your changes while updating fail2ban.

A .local file will override .conf file, but only for values specified, so you dont need to copy all the settings to your .local file, only the settings you want to change.

Installation

# yum install epel-release

# yum install fail2ban

Create your configuration file

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Configuration

The configuration file is well documented and you should read through it to get a understanding of the possibilities. You should probably add your own IP-address to the ignoreip field, at least during inital configuration and testing.

What is worth noting is that Centos7 comes with Fail2Ban 0.9.0 which differs a bit from all the other introduction to Fail2Ban that is out there. In 0.9.0 all jails are disabled by default and you have to scroll down to the relevant jail and insert a new line "enabled = true" to activate the jail.

All jails disabled by default:

# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false

Enable the jail(s) you need. In the example below I have added enable to sshd and sshd-ddos, leaving dropbear unchanged (and therefore disabled):


#
# SSH servers
#
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s

[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
enabled = true
port = ssh
logpath = %(sshd_log)s

[dropbear]

port = ssh
logpath = %(dropbear_log)s

Remember to relaod File2Ban after changing the configuration:

# systemctl restart fail2ban

Check that your jails are loaded:


# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: sshd, sshd-ddos

Tail your log for a few seconds, profit!


# tail -f /var/log/fail2ban.log

2014-11-23 04:11:31,638 fail2ban.server.filter[13214]: INFO [sshd] Found 23.xx.1x7.xx
2014-11-23 04:11:31,641 fail2ban.server.filter[13214]: INFO [sshd] Found 103.yy.1y4.yy
2014-11-23 04:11:31,643 fail2ban.server.filter[13214]: INFO [sshd] Found 23.xx.1x7.xx
2014-11-23 04:11:31,647 fail2ban.server.filter[13214]: INFO [sshd] Found 103.yy.1y4.yy
2014-11-23 04:11:32,652 fail2ban.server.actions[13214]: NOTICE [sshd] Ban 60.aa.26.1a7
2014-11-23 04:11:32,676 fail2ban.server.filter[13214]: INFO [sshd] Found 23.xx.1x7.xx
2014-11-23 04:11:32,679 fail2ban.server.filter[13214]: INFO [sshd] Found 60.aa.26.1a7
2014-11-23 04:11:32,868 fail2ban.server.actions[13214]: NOTICE [sshd] Ban 23.xx.1x7.xx
2014-11-23 04:11:32,981 fail2ban.server.actions[13214]: NOTICE [sshd] Ban 103.yy.1y4.yy
2014-11-23 04:11:34,716 fail2ban.server.filter[13214]: INFO [sshd] Found 103.yy.1y4.yy

When writing this text it took three seconds from enabling the jails until the first three IP-addresses was banned by Fail2Ban.

Tagged as : preview

Comments

Tagged as : preview