A public server is scanned and brute forced a lot of times every hour of the day. These are the statistic related to my public and unknown developer test server in the last 24 hours:
This could be both a security problem and a system performance issue due to the resources spent in order to manage every connection. Fail2ban is easy to be installed and configured. After different trials of guessing user password the attacker client is automatically inserted in the iptables drop chain for a certain amount of time.
Let’s install epel ( Extra Packages for Enterprise Linux ) and fail2ban service :
yum install epel-release yum install -y fail2ban fail2ban-systemd
‘Enable’ to make it persistent and start the service
systemctl enable fail2ban systemctl start fail2ban
if selinux is installed you need to update the policies with:
yum update -y selinux-policy*
The default configuration file is located in /etc/fail2ban directory and it’s called jail.conf.
This file can be modified or restored by package distribution updates so it’s better to create a new file called jail.local and make there our configurations
here we can specify some settings like global bantime and other customization. These reported here are the default ones that can fits your installation:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports
can be more complex parameters to be enabled that, for example, can alert you by mail with whois query included. Just explore the configuration file!
# ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
What I prefer is to create a personal and specific fail2ban
configuration for every service we expose. Let’s protect our ssh deamon
Copy the jail.conf to /etc/fail2ban/jail.d/sshd.local and edit it:
cp jail.conf /etc/fail2ban/jail.d/sshd.local vim /etc/fail2ban/jail.d/sshd.local
This configuration and the changes we’ll make here will override the default configuration of jail.local.
This could be a simple configuration
enabled = true
port = ssh
# this will force the system to use IPTABLES for ban the attacker ip
action = iptables-multiport
maxretry = 5
bantime = 600
# specify a path for the log related to fail2ban events
that’s it! restart the service every time you make configuration changes
systemctl restart fail2ban
this is the running configuration for iptables just before activating fail2ban
iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
after some minutes this is the situation! we already banned an IP!
# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination f2b-default tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-default (1 references) target prot opt source destination REJECT all -- 18.104.22.168 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
how to check how many client were banned
# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 54 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 22.214.171.124
great! so now what if we need to unban a client that was wrongly inserted into iptables drop list? it’s simple:
give us a good help in which we can find a lot of information and configuration regarding fail2ban use. To unban an ip just type
set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>
so in our case it became:
fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx
fail2ban is very easy to configure and deploy. Despite this simple installation it can provide a big help to keep your server authentications secure.