Introduction

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.

Installation

To install fail2ban, type the following in the terminal:

sudo apt-get install fail2ban 

Configuration

To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban

cd /etc/fail2ban
sudo cp jail.conf jail.local 

Now edit the file:

sudo nano jail.local 

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 3 

Email Notification

Note: You will need sendmail or any other MTA to do this.

If you wish to be notified of bans by email, modify this line with your email address:

destemail = your_email@domain.com 

Then find the line:

action = %(action_)s 

and change it to

action = %(action_mw)s 

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log:

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 

To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:

enabled = true 

Once done, restart fail2ban to put those settings into effect

sudo /etc/init.d/fail2ban restart 

Advanced: Filters

If you wish to tweak or add log filters, you can find them in

/etc/fail2ban/filter.d 

Testing

To test fail2ban, look at iptable rules:

sudo iptables -L 

Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.

External Links


CategorySecurity

Remarks (Robert van Reems): To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.

Fail2ban (last edited 2013-03-28 02:46:15 by mfisch)