Fail2ban

Introduction

Fail2ban is a software that helps in protecting the Linux servers from brute force hack attempts. A common example of this is with SSH, which will be the subject of brute force attacks that attempt to hack common account names.

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

The basic idea behind fail2ban is to monitor the logs of common services to spot patterns in authentication failures.

Install steps

Install Fail2Ban on Ubuntu

# apt-get update

# apt-get install fail2ban

Install Fail2ban on CentOS

While Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS.

# yum install epel-release 

# yum install fail2ban

Once the installation has finished, use systemctl or chkconfig to enable the fail2ban service

# systemctl enable fail2ban

                  or

# chkconfig fail2ban on

Fail2ban Service Settings

Fail2ban is configured through a variety of files located within /etc/fail2ban/ directory.

The fail2ban.conf file configures some basic operational settings like the way the daemon logs info, and the socket and pid file it will use. The main configuration, however takes place in the files jail.conf.

Note:- Fail2ban bans watches the service logs and creating rules that can automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts.

Config

Bantime for an IP:- 10 hours (36000 seconds in conf file)

Number of failed attempts:- 3 (after 3 failed attempts the IP is blocked)

Services Watched by Fail2ban:- ssh, vsftp, Apache

How To check IP in iptables

If one of our user is not able to access our Linux servers it is a possibility the user's IP has been blocked due to too many failed login attempts.

To check if the IP has been blocked use the below given command as root user.

# iptables -L -n --line-numbers (this will give the list of iptable rules, check and see if the IP is blocked)

Sample

Chain fail2ban-ssh (2 references)

num      target         prot opt source               destination

1    DROP       all  --  59.45.175.66         0.0.0.0/0

2    DROP       all  --  74.112.255.218       0.0.0.0/0

3    DROP       all  --  59.45.175.64         0.0.0.0/0

4    DROP       all  --  190.152.110.202      0.0.0.0/0

5    DROP       all  --  85.105.212.12        0.0.0.0/0

6    DROP       all  --  59.45.175.56         0.0.0.0/0

7    DROP       all  --  59.45.175.67         0.0.0.0/0

8    DROP       all  --  201.178.113.162      0.0.0.0/0

9    DROP       all  --  59.45.175.86         0.0.0.0/0

10  DROP       all  --  101.66.253.100       0.0.0.0/0

11  DROP       all  --  59.45.175.88         0.0.0.0/0

12  DROP       all  --  27.194.249.192       0.0.0.0/0

13  DROP       all  --  123.96.174.30        0.0.0.0/0

14  DROP       all  --  221.122.101.203      0.0.0.0/0

# iptables -L -n --line-numbers | grep our-IP (will show if the IP in question is blocked or has some other rule against it or not)

# iptables -D fail2ban-ssh num (say if the IP you want to unban/unblock is on number 5 in fail2ban-ssh rules then num will be 5 and fail2ban-ssh will be the section in which the rule is, -D is for deleting a iptable rule )

# iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all incoming connection from the IP)

# iptables -A OUTPUT -p tcp -d  XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all outgoing connection from the IP)

How to whitelist an IP in Fail2ban

Fail2ban uses iptables to block attackers, so if we want to add permanent IP address and never be blocked, we must add it in the config file.

First, edit the config file :

#vim /etc/fail2ban/jail.conf

Then, check the line :

ignoreip =

Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32

Save. And restart Fail2Ban:

service fail2ban restart