Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Fail2Ban Howto: Block IP Address Using Fail2ban and IPTables  (Read 1833 times)

0 Members and 1 Guest are viewing this topic.

joseletk

  • Guest
Fail2ban scans log files for various services ( SSH, FTP, SMTP, Apache, etc., ) and bans the IP that makes too many password failures. It also updates the firewall rules to reject these ip addresses. Main purpose of Fail2ban is to prevent brute force login attacks.

Install Fail2ban

Use apt-get to install Fail2ban on a Debian based system as shown below.

Code: [Select]
# apt-get install fail2ban
How to configure fail2ban

All Fail2ban configuration files are located under the /etc/fail2ban directory.

/etc/fail2ban/fail2ban.conf

Main purpose of this file is to configure fail2ban log related directives.

- Loglevel: Set the log level output.
- logtarget : Specify the log file path

Actions taken by the Fail2ban are logged in the /var/log/fail2ban.log file. You can change the verbosity in the conf file to one of: 1 – ERROR, 2 – WARN, 3 – INFO or 4 – DEBUG.

/etc/fail2ban/jail.conf

jail.conf file contains the declaration of the service configurations. This configuration file is broken up into different contexts. The DEFAULT settings apply to all sections.

The following DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).

Code: [Select]
[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
findtime = 600
bantime = 600

- ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
- maxretry: Maximum number of failed login attempts before a host is blocked by fail2ban.
- bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

Service Configurations

By default, some services are inserted as templates. Following is an example of the ssh services section.

Code: [Select]
[ssh]
enabled = true
port = ssh
filter = sshd
logpath  = /var/log/auth.log
action = iptables

Fail2ban will monitor the /var/log/auth.log file for failed access attempts, and if it finds repeated failed ssh login attempts from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with fail2ban iptables firewall rule.

Fail2ban Filters

The directory /etc/fail2ban/filter.d contains regular expressions that are used to detect break-in attempts, password failures, etc., for various services.

For example:

- sshd.conf – Fail2ban ssh related filters
- apache-auth.conf – Fail2ban apache service filters

We can also add our own regular expression to find unwanted action.

Fail2ban Actions

The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.

For example:

- IPtables.conf – block & unblock IP address
- Mail.conf – Sending mail to configured user

Start/Stop Fail2ban Service

After making configuration changes stop and start the Fail2ban daemon as shown below.

Code: [Select]
# /etc/init.d/fail2ban stop

# /etc/init.d/fail2ban start

=========================================================================