Port Protection with fail2ban

A public server is scanned and brute forced a lot of times every hour of the day. These are the statistic related to my public and unknown developer test server in the last 24 hours:

Elk stack report of the last 24 hours ssh bruteforce attacks

This could be both a security problem and a system performance issue due to the resources spent in order to manage every connection. Fail2ban is easy to be installed and configured. After different trials of guessing user password the attacker client is automatically inserted in the iptables drop chain for a certain amount of time.

Let’s install epel ( Extra Packages for Enterprise Linux ) and fail2ban service :

yum install epel-release
yum install -y fail2ban fail2ban-systemd

‘Enable’ to make it persistent and start the service

systemctl enable fail2ban
systemctl start fail2ban

if selinux is installed you need to update the policies with:

yum update -y selinux-policy*

The default configuration file is located in /etc/fail2ban directory and it’s called jail.conf.
This file can be modified or restored by package distribution updates so it’s better to create a new file called jail.local and make there our configurations

vim /etc/fail2ban/jail.local

here we can specify some settings like global bantime and other customization. These reported here are the default ones that can fits your installation:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

can be more complex parameters to be enabled that, for example, can alert you by mail with whois query included. Just explore the configuration file!

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

protect sshd

What I prefer is to create a personal and specific fail2ban configuration for every service we expose. Let’s protect our ssh deamon
Copy the jail.conf to /etc/fail2ban/jail.d/sshd.local and edit it:

cp jail.conf /etc/fail2ban/jail.d/sshd.local
vim /etc/fail2ban/jail.d/sshd.local

This configuration and the changes we’ll make here will override the default configuration of jail.local.
This could be a simple configuration

[sshd] 

enabled = true
port = ssh

# this will force the system to use IPTABLES for ban the attacker ip
action = iptables-multiport

maxretry = 5
bantime = 600

# specify a path for the log related to fail2ban events
logpath = %(sshd_log)s

that’s it! restart the service every time you make configuration changes

systemctl restart fail2ban

this is the running configuration for iptables just before activating fail2ban

iptables -L -n                                                                                                                                         
Chain INPUT (policy ACCEPT)                                                                                                                                                     
target     prot opt source               destination                                                                                                                            

Chain FORWARD (policy ACCEPT)                                                                                                                                                    target     prot opt source               destination                                                                                                                             

Chain OUTPUT (policy ACCEPT)                                                                                                                                                     target     prot opt source               destination  

after some minutes this is the situation! we already banned an IP!

# iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-default  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-default (1 references)
target     prot opt source               destination         
REJECT     all  --  58.242.83.38         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

how to check how many client were banned

# fail2ban-client status sshd                                                                                                                  

Status for the jail: sshd                                                                                                                                                       |- Filter                                                                                                                                                                       |  |- Currently failed: 1                                                                                                                                                       |  |- Total failed:     54
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions                                                                                                                                                                           
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   58.242.83.38                                                                                                    

great! so now what if we need to unban a client that was wrongly inserted into iptables drop list? it’s simple:

fail2ban-client -h

give us a good help in which we can find a lot of information and configuration regarding fail2ban use. To unban an ip just type

set <JAIL> unbanip <IP>                  manually Unban <IP> in <JAIL>

so in our case it became:

fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx

conclusion

fail2ban is very easy to configure and deploy. Despite this simple installation it can provide a big help to keep your server authentications secure.