Introduction
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.
Installation
To install fail2ban, type the following in the terminal:
sudo apt-get install fail2ban
Configuration
To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban
cd /etc/fail2ban sudo cp jail.conf jail.local
Now edit the file:
sudo nano jail.local
Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 3600 maxretry = 3
Email Notification
Note: You will need sendmail or any other MTA to do this.
If you wish to be notified of bans by email, modify this line with your email address:
destemail = your_email@domain.com
Then find the line:
action = %(action_)s
and change it to
action = %(action_mw)s
Jail Configuration
Jails are the rules which fail2ban apply to a given application/log:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:
enabled = true
Once done, restart fail2ban to put those settings into effect
sudo /etc/init.d/fail2ban restart
Advanced: Filters
If you wish to tweak or add log filters, you can find them in
/etc/fail2ban/filter.d
Testing
To test fail2ban, look at iptable rules:
sudo iptables -L
Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.
External Links
- http://www.fail2ban.org/wiki/index.php/Main_Page - Official Fail2ban Website.
Remarks (Robert van Reems): To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.
No comments:
Post a Comment