Fail2ban Installation for Debian/Ubuntu

24/09/2013 - no comments.

Fail2Ban is an application that monitors your log files for potential intrusion attacks and then blocks the IP address of would be attackers. In most cases administrators use it to limit the number of login attempts that are allowed against SSH within a period of time, this can make it very difficult for an attacker to brute force a login.

I use Fail2ban on my Asterisk server to block the daily brute force attacks against my PBX. I will post the Asterisk configuration in a separate post. This post is just the steps taken to install Fail2ban and block SSH attacks.

The process for installing fail2ban under Debian/Ubuntu is to:

sudo apt-get install fail2ban
sudo apt-get install python iptables 
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo /etc/init.d/fail2ban restart

If your not running Ubuntu 9.04 you can skip the next section, unless your seeing Unexpected communication errors in the /var/log/fail2ban.log file. These errors occur due to Ubuntu 9.04 running Python 2.6 by default so some modifications are need

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python2.5
sudo nano /usr/bin/fail2ban-server
Change the first line from
#!/usr/bin/python
to
#!/usr/bin/python2.5

Once completed restart fail2ban and the communication errors should no longer occur

sudo /etc/init.d/fail2ban restart

Now that fail2ban is installed and working the next step is to configure it for your needs the following is an example /etc/fail2ban/jail.local file which has been configured for protecting SSH. Settings in jail.local will override the ones in jail.conf this is an example where all of the jails have been removed except the one for SSH. Be sure to edit the sendmail-whois action to send notifications to an appropriate address:

# Fail2Ban local configuration file.

[DEFAULT]
ignoreip = 127.0.0.1 your.externalip.com
# Here you want to ignore IP's such as the IP of the Server itself, your IP and any other IPs that its important are not locked out.
bantime  = 600 # Default ban time for all jails of 10 minutes
maxretry = 3

# Email of where alerts should be sent to
destemail = fail2ban@yourdomain.com

banaction = iptables-multiport  # Ban action

# MTA to be used im using ssmtp in this case but you could be using sendmail
mta = ssmtp

# This rule monitors ssh login attempts recorded in the /var/log/auth.log file and blocks the user after 3 attempts with the default bantime of 10 minutes
[ssh]
enabled = true
port    = ssh
filter  = sshd
action  = iptables[name=SSH]
#action   = iptables[name=SSH, port=ssh, protocol=tcp]
mail[name=SSH, dest=mark@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath  = /var/log/auth.log
maxretry = 3

Turning it On

Now it is time to start fail2ban. However there are a couple steps we need to do first.

Enable IPTABLES

By default, iptables allows all traffic. So if we turn it on, it will not block any traffic until Fail2Ban creates the deny rules. Fail2Ban, by default, inserts rules at the top of the chain, so they will override any rules you have configured in iptables.

Please make sure you have your own iptables rules configured and working before using the guide above.

To start iptables, run the following as root:

/etc/init.d/iptables start

Enable Fail2Ban

To start Fail2Ban, run the following as root:

/etc/init.d/fail2ban start

Turn it on for good

If all is well up to this point, let’s make sure that fail2ban and iptables restart with the server by issuing the following commands.

Debian/Ubuntu:

update-rc.d iptables defaults 
update-rc.d fail2ban defaults

Please leave your Comment:

Your email address will not be published. Required fields are marked *

*