Fail2Ban is an application that monitors your log files for potential intrusion attacks and then blocks the IP address of would be attackers. In most cases administrators use it to limit the number of login attempts that are allowed against SSH within a period of time, this can make it very difficult for an attacker to brute force a login.
I use Fail2ban on my Asterisk server to block the daily brute force attacks against my PBX. I will post the Asterisk configuration in a separate post. This post is just the steps taken to install Fail2ban and block SSH attacks.
The process for installing fail2ban under Debian/Ubuntu is to:
sudo apt-get install fail2ban sudo apt-get install python iptables sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo /etc/init.d/fail2ban restart
If your not running Ubuntu 9.04 you can skip the next section, unless your seeing Unexpected communication errors in the /var/log/fail2ban.log file. These errors occur due to Ubuntu 9.04 running Python 2.6 by default so some modifications are need
sudo apt-get update sudo apt-get upgrade sudo apt-get install python2.5 sudo nano /usr/bin/fail2ban-server Change the first line from #!/usr/bin/python to #!/usr/bin/python2.5
Once completed restart fail2ban and the communication errors should no longer occur
sudo /etc/init.d/fail2ban restart
Now that fail2ban is installed and working the next step is to configure it for your needs the following is an example /etc/fail2ban/jail.local file which has been configured for protecting SSH. Settings in jail.local will override the ones in jail.conf this is an example where all of the jails have been removed except the one for SSH. Be sure to edit the sendmail-whois action to send notifications to an appropriate address:
# Fail2Ban local configuration file.
[DEFAULT] ignoreip = 127.0.0.1 your.externalip.com # Here you want to ignore IP's such as the IP of the Server itself, your IP and any other IPs that its important are not locked out. bantime = 600 # Default ban time for all jails of 10 minutes maxretry = 3 # Email of where alerts should be sent to destemail = email@example.com banaction = iptables-multiport # Ban action # MTA to be used im using ssmtp in this case but you could be using sendmail mta = ssmtp # This rule monitors ssh login attempts recorded in the /var/log/auth.log file and blocks the user after 3 attempts with the default bantime of 10 minutes [ssh] enabled = true port = ssh filter = sshd action = iptables[name=SSH] #action = iptables[name=SSH, port=ssh, protocol=tcp] mail[name=SSH, firstname.lastname@example.org, email@example.com] logpath = /var/log/auth.log maxretry = 3
Turning it On
Now it is time to start fail2ban. However there are a couple steps we need to do first.
By default, iptables allows all traffic. So if we turn it on, it will not block any traffic until Fail2Ban creates the deny rules. Fail2Ban, by default, inserts rules at the top of the chain, so they will override any rules you have configured in iptables.
Please make sure you have your own iptables rules configured and working before using the guide above.
To start iptables, run the following as root:
To start Fail2Ban, run the following as root:
Turn it on for good
If all is well up to this point, let’s make sure that fail2ban and iptables restart with the server by issuing the following commands.
update-rc.d iptables defaults update-rc.d fail2ban defaults