Using Fail2ban to safeguard servers from intrusion attempts
What is Fail2ban
- Fail2ban is a service that continuously monitors the logs from a variety of services. Pre defined filters match patterns in the log entries that indicate suspicious behaviour, and when more than a defined number of these entries are found within a time period from the same IP address fail2ban will issue a command to block that IP address in the firewall, and will send an email to the system administrator to alert her of the intrusion attempt. The IP will become unbanned after a defined period of time.
A common use for fail2ban is to prevent intruders making repeated attempts to guess an ssh password.Users should not depend on fail2ban alone to protect their ssh server. Passwordless login using public key authentication is the best way to prevent an intruder getting into your ssh server, but fail2ban is a useful additional tool to prevent your logs filling up with break in attempts, and to persuade the attacker to try elsewhere.
Other popular uses for fail2ban are to detect attacks against ftp servers, against mail servers with sasl passwords, against web servers with authenticated pages, against webmin, and many other services.
Installing and Configuring Fail2ban
fail2ban is included in Mageia Core repository. Install using urpmi or with Mageia Control Centre.
If you wish to get email alerts from fail2ban you must have a mail server installed. If you do not wish to run a full mail server the simplest application with the least amount of configuration that provides a sendmail function is 'dma'.
Fail2ban does not have a GUI, so nothing will appear in your menu. It must be configured by editing text files in the directory /etc/fail2ban.
For most users the only file that needs be edited is /etc/fail2ban/jail.conf This file contains a number of sections or jails. Each jail defines how to monitor a service. Only those services with jails that are enabled are monitored by fail2ban.
Here is a typical jail to monitor ssh in a Mageia server
[ssh-shorewall] enabled = true filter = sshd action = shorewall sendmail[name=SSH, dest=your@email, sender=fail2ban@youremail] logpath = /var/log/auth.log maxretry = 5 bantime = 6000
In this example the jail is called ssh-shorewall It is enabled
When the log entry contains a line which matches a regular expression contained in the filter file /etc/fail2ban/filter.d/sshd.conf then the match count is incremented.
When the match count reaches the maxretry value the IP becomes banned and one or more actions are performed.
In this example the IP address will be banned using the shorewall firewall which is the default firewall in Mageia. If you are using iptables for your firewall you should use the iptables action. The second action defined is to send an email to the system administrator advising them of the IP address being banned.
The logpath line defines where fail2ban will find the log file for this service.
Default vales for fail2ban are found in the default section.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto
Fail2ban can be started from the System>Services menu of mageia Control Centre or by
systemctl start fail2ban.service
Fail2ban will write its log to syslog. When fail2ban starts it will send an email to the system administrator advising them that the jail has been started. If your mail server is not operational the email message will appear in the syslog.
Using the ssh-shorewall jail as shown above start off by ensuring that the shorewall firewall is enabled and that port 22 for ssh is open. You can use the firewall GUI in Mageia Control Centre to do this.
Start the ssh service in Mageia Control Centre (install the package openssh-server if required) Start the fail2ban service. From another computer with openssh-client installed, attempt to log into ssh using a non existent account
You should be invited to give a password. Enter any sequence of characters after which you will be invited to give the password again. After 5 attempts ssh will give up. If you now try to log in again you should find that no password is requested and you are locked out. At the server you can monitor the status of fail2ban
# fail2ban-client -v status ssh-shorewall INFO Using socket file /var/run/fail2ban/fail2ban.sock Status for the jail: ssh-shorewall |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 5 `- action |- Currently banned: 1 | `- IP list: 192.168.1.33 `- Total banned: 1
If you wish to unban the IP address without waiting for the unban timer to expire then give this command.
shorewall allow ip_address
- Note: By default shorewall will only block an IP address when a new connection is made. So for example with ssh shorewall will not block an IP address until all 5 attempts allowed by ssh have been made. If you wish to change this behaviour so that the IP address is blocked immediately, then set
Alternatives to Fail2ban
- It is possible to use the shorewall firewall itself to limit the number and rate of accesses to a service.