From Mageia wiki
Jump to: navigation, search


This page is a draft. It requires improvements.

If you want to improve it, simply log in and click on the edit tab.
Please remove this {{Draft}} template, when you're sure the page is complete and correct.

View the other draft pages

View all other pages to improve and maintain.

Using Fail2ban to safeguard servers from intrusion attempts

What is Fail2ban

  • Fail2ban is a service that continuously monitors the logs from a variety of services. Pre defined filters match patterns in the log entries that indicate suspicious behaviour, and when more than a defined number of these entries are found within a time period from the same IP address fail2ban will issue a command to block that IP address in the firewall, and will send an email to the system administrator to alert her of the intrusion attempt. The IP will become unbanned after a defined period of time.

A common use for fail2ban is to prevent intruders making repeated attempts to guess an ssh password.Users should not depend on fail2ban alone to protect their ssh server. Passwordless login using public key authentication is the best way to prevent an intruder getting into your ssh server, but fail2ban is a useful additional tool to prevent your logs filling up with break in attempts, and to persuade the attacker to try elsewhere.

Other popular uses for fail2ban are to detect attacks against ftp servers, against mail servers with sasl passwords, against web servers with authenticated pages, against webmin, and many other services.

Installing and Configuring Fail2ban

fail2ban is included in Mageia Core repository. Install using urpmi or with Mageia Control Centre.

If you wish to get email alerts from fail2ban you must have a mail server installed. If you do not wish to run a full mail server the simplest application with the least amount of configuration that provides a sendmail function is 'dma'.

Fail2ban does not have a GUI, so nothing will appear in your menu. It must be configured by editing text files in the directory /etc/fail2ban.

For most users the only file that needs be edited is /etc/fail2ban/jail.conf This file contains a number of sections or jails. Each jail defines how to monitor a service. Only those services with jails that are enabled are monitored by fail2ban.

Here is a typical jail to monitor ssh in a Mageia server

[ssh-shorewall]

enabled  = true
filter   = sshd
action   = shorewall
           sendmail[name=SSH, dest=your@email, sender=fail2ban@youremail]
logpath  = /var/log/auth.log
maxretry = 5
bantime  = 6000

In this example the jail is called ssh-shorewall It is enabled

When the log entry contains a line which matches a regular expression contained in the filter file /etc/fail2ban/filter.d/sshd.conf then the match count is incremented.

When the match count reaches the maxretry value the IP becomes banned and one or more actions are performed.

In this example the IP address will be banned using the shorewall firewall which is the default firewall in Mageia. If you are using iptables for your firewall you should use the iptables action. The second action defined is to send an email to the system administrator advising them of the IP address being banned.

The logpath line defines where fail2ban will find the log file for this service.

Default vales for fail2ban are found in the default section.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto

Fail2ban can be started from the System>Services menu of mageia Control Centre or by

systemctl start fail2ban.service

Fail2ban will write its log to syslog. When fail2ban starts it will send an email to the system administrator advising them that the jail has been started. If your mail server is not operational the email message will appear in the syslog.

Testing Fail2ban

Using the ssh-shorewall jail as shown above start off by ensuring that the shorewall firewall is enabled and that port 22 for ssh is open. You can use the firewall GUI in Mageia Control Centre to do this.

Start the ssh service in Mageia Control Centre (install the package openssh-server if required) Start the fail2ban service. From another computer with openssh-client installed, attempt to log into ssh using a non existent account

ssh foobar@ip_add_of_server

You should be invited to give a password. Enter any sequence of characters after which you will be invited to give the password again. After 5 attempts ssh will give up. If you now try to log in again you should find that no password is requested and you are locked out. At the server you can monitor the status of fail2ban

# fail2ban-client -v status ssh-shorewall
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
Status for the jail: ssh-shorewall
|- filter
|  |- File list:	/var/log/auth.log 
|  |- Currently failed:	1
|  `- Total failed:	5
`- action
   |- Currently banned:	1
   |  `- IP list:	192.168.1.33 
   `- Total banned:	1

If you wish to unban the IP address without waiting for the unban timer to expire then give this command.

shorewall allow ip_address
  1. Note: By default shorewall will only block an IP address when a new connection is made. So for example with ssh shorewall will not block an IP address until all 5 attempts allowed by ssh have been made. If you wish to change this behaviour so that the IP address is blocked immediately, then set
BLACKLISTNEWONLY=No
in /etc/shorewall/shorewall.conf

Alternatives to Fail2ban