A public server is scanned and brute forced a lot of times every hour of the day. These are the statistic related to my public and unknown developer test server in the last 24 hours:
This could be both a security problem and a system performance issue due to the resources spent in order to manage every connection. Fail2ban is easy to be installed and configured. After different trials of guessing user password the attacker client is automatically inserted in the iptables drop chain for a certain amount of time.
Let’s install epel ( Extra Packages for Enterprise Linux ) and fail2ban service :
yum install epel-release
yum install -y fail2ban fail2ban-systemd‘Enable’ to make it persistent and start the service
systemctl enable fail2ban
systemctl start fail2banif selinux is installed you need to update the policies with:
yum update -y selinux-policy*The default configuration file is located in /etc/fail2ban directory and it’s called jail.conf.
This file can be modified or restored by package distribution updates so it’s better to create a new file called jail.local and make there our configurations
vim /etc/fail2ban/jail.localhere we can specify some settings like global bantime and other customization. These reported here are the default ones that can fits your installation:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
can be more complex parameters to be enabled that, for example, can alert you by mail with whois query included. Just explore the configuration file!
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]protect sshd
What I prefer is to create a personal and specific fail2ban
configuration for every service we expose. Let’s protect our ssh deamon
Copy the jail.conf to /etc/fail2ban/jail.d/sshd.local and edit it:
cp jail.conf /etc/fail2ban/jail.d/sshd.local
vim /etc/fail2ban/jail.d/sshd.localThis configuration and the changes we’ll make here will override the default configuration of jail.local.
This could be a simple configuration
[sshd]
enabled = true
port = ssh
# this will force the system to use IPTABLES for ban the attacker ip
action = iptables-multiport
maxretry = 5
bantime = 600
# specify a path for the log related to fail2ban events
logpath =%(sshd_log)s
that’s it! restart the service every time you make configuration changes
systemctl restart fail2banthis is the running configuration for iptables just before activating fail2ban
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination after some minutes this is the situation! we already banned an IP!
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-default tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-default (1 references)
target prot opt source destination
REJECT all -- 58.242.83.38 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0 how to check how many client were banned
# fail2ban-client status sshd
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 54
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 58.242.83.38 great! so now what if we need to unban a client that was wrongly inserted into iptables drop list? it’s simple:
fail2ban-client -hgive us a good help in which we can find a lot of information and configuration regarding fail2ban use. To unban an ip just type
set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>so in our case it became:
fail2ban-client set sshd unbanip xxx.xxx.xxx.xxxconclusion
fail2ban is very easy to configure and deploy. Despite this simple installation it can provide a big help to keep your server authentications secure.