Introduction
Fail2ban is a software that helps in protecting the Linux servers from brute force hack attempts. A common example of this is with SSH, which will be the subject of brute force attacks that attempt to hack common account names.
Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
The basic idea behind fail2ban is to monitor the logs of common services to spot patterns in authentication failures.
Install steps
Install Fail2Ban on Ubuntu
# apt-get update
# apt-get install fail2ban
Install Fail2ban on CentOS
While Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS.
# yum install epel-release
# yum install fail2ban
Once the installation has finished, use systemctl or chkconfig to enable the fail2ban service
# systemctl enable fail2ban
or
# chkconfig fail2ban on
Fail2ban Service Settings
Fail2ban is configured through a variety of files located within /etc/fail2ban/ directory.
The fail2ban.conf file configures some basic operational settings like the way the daemon logs info, and the socket and pid file it will use. The main configuration, however takes place in the files jail.conf.
Note:- Fail2ban bans watches the service logs and creating rules that can automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts.
Config
Bantime for an IP:- 10 hours (36000 seconds in conf file)
Number of failed attempts:- 3 (after 3 failed attempts the IP is blocked)
Services Watched by Fail2ban:- ssh, vsftp, Apache
How To check IP in iptables
If one of our user is not able to access our Linux servers it is a possibility the user's IP has been blocked due to too many failed login attempts.
To check if the IP has been blocked use the below given command as root user.
# iptables -L -n --line-numbers (this will give the list of iptable rules, check and see if the IP is blocked)
Sample
Chain fail2ban-ssh (2 references)
num target prot opt source destination
1 DROP all -- 59.45.175.66 0.0.0.0/0
2 DROP all -- 74.112.255.218 0.0.0.0/0
3 DROP all -- 59.45.175.64 0.0.0.0/0
4 DROP all -- 190.152.110.202 0.0.0.0/0
5 DROP all -- 85.105.212.12 0.0.0.0/0
6 DROP all -- 59.45.175.56 0.0.0.0/0
7 DROP all -- 59.45.175.67 0.0.0.0/0
8 DROP all -- 201.178.113.162 0.0.0.0/0
9 DROP all -- 59.45.175.86 0.0.0.0/0
10 DROP all -- 101.66.253.100 0.0.0.0/0
11 DROP all -- 59.45.175.88 0.0.0.0/0
12 DROP all -- 27.194.249.192 0.0.0.0/0
13 DROP all -- 123.96.174.30 0.0.0.0/0
14 DROP all -- 221.122.101.203 0.0.0.0/0
# iptables -L -n --line-numbers | grep our-IP (will show if the IP in question is blocked or has some other rule against it or not)
# iptables -D fail2ban-ssh num (say if the IP you want to unban/unblock is on number 5 in fail2ban-ssh rules then num will be 5 and fail2ban-ssh will be the section in which the rule is, -D is for deleting a iptable rule )
# iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all incoming connection from the IP)
# iptables -A OUTPUT -p tcp -d XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all outgoing connection from the IP)
How to whitelist an IP in Fail2ban
Fail2ban uses iptables to block attackers, so if we want to add permanent IP address and never be blocked, we must add it in the config file.
First, edit the config file :
#vim /etc/fail2ban/jail.conf
Then, check the line :
ignoreip =
Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32
Save. And restart Fail2Ban:
service fail2ban restart
How to whitelist an IP in Fail2ban
Fail2ban uses iptables to block attackers, so if we want to add permanent IP address and never be blocked, we must add it in the config file.
First, edit the config file :
#vim /etc/fail2ban/jail.conf
Then, check the line :
ignoreip =
Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32
Save. And restart Fail2Ban:
service fail2ban restart
No comments:
Post a Comment