Thursday, 12 September 2013

Fail2Ban is an intrusion prevention framework written in the Python


Introduction

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.

Installation

To install fail2ban, type the following in the terminal:
sudo apt-get install fail2ban 

Configuration

To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban
cd /etc/fail2ban
sudo cp jail.conf jail.local 
Now edit the file:
sudo nano jail.local 
Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 3 

Email Notification

Note: You will need sendmail or any other MTA to do this.
If you wish to be notified of bans by email, modify this line with your email address:
destemail = your_email@domain.com 
Then find the line:
action = %(action_)s 
and change it to
action = %(action_mw)s 

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log:
[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 
To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:
enabled = true 
Once done, restart fail2ban to put those settings into effect
sudo /etc/init.d/fail2ban restart 

Advanced: Filters

If you wish to tweak or add log filters, you can find them in
/etc/fail2ban/filter.d 

Testing

To test fail2ban, look at iptable rules:
sudo iptables -L 
Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.

External Links


Remarks (Robert van Reems): To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.