By
January 2, 2019

STOP BRUTE FORCE ATTACKS

When we think of security, the first thing that comes to mind is keeping a strong password. The usual guidelines of using combination of characters, numbers with a reasonably long length apply. Let’s say a password like this with 10 characters and numbers, Ra-lC6gebe would take about 6 years to be found using a brute force algorithm. For sure, this is a strong password, but I would rather not have my VPS responding to a blitz of authentication requests. This is where fail2ban comes into the picture. Time to put the bad guys in ‘jail’

What is fail2ban?

fail2ban is a python utility that scans access logs and blocks IP addresses that have too many failed login attempts. The errant IP addresses are banned for a certain duration based on the rules you setup. Changes are implemented via firewall rules. There are out-of-the-box filters for common services like ssh, apache and mysql. However, you can add your own filters by providing paths to the application logs and setting up the right patterns to search.

fail2ban works by setting up “jails” which are a set of filters used by the application to identify signs of malicious activity. You can setup number of invalid attempts, add actions such as banning an IP, sending you an email and also set a ban duration.

Installing fail2ban

On CentOS, you will need to install the epel-release before installing fail2ban

# yum update

# yum install -y epel-release

# yum install -y fail2ban

For Ubuntu/Debian

# apt-get update

# apt-get upgrade

# apt-get install -y fail2ban

Start & enable the service

# systemctl start fail2ban

# systemctl enable fail2ban

Configuring fail2ban

Configurations for fail2ban are present in .conf files present in /etc/fail2ban. However, any setting in these files can be overridden by .local files located in the same directory. Therefore any changes made will be done to a .local file which ensures that customizations are not lost when fail2ban is updated. At the time of installation, there are two .conf files – fail2ban.conf and jail.conf

The first provides configuration information for the fail2ban application such as the logging level, the location of the fail2ban log and other configuration related to the running fail2ban process. Very often, you will not have to make changes, so let’s jump into the jail.conf file

fail2ban operates by defining “jails” that have specific actions, durations of the ban etc. We will modify the jail.conf file with our changes. First copy the jail.conf file into jail.local

# cd /etc/fail2ban

# cp jail.conf jail.local

# nano jail.local

Here are some keywords that are useful when configuring the jail

bantime – number of seconds the offending host is to be banned. The default is 600, i.e. 10 minutes

findtime – the window within which you need to find the failure pattern (such as authentication error). Default is again 600

maxretry – number of times the failure is found within the findtime window (default 3)

action – What to do when the condition is met, the default being ban the IP (action_). You can change it to (action_mw or action_mwl) which bans the IP and sends an email. The destination email is identified by the keyword destemail

Look for the ssh jail that starts with [ssh] in the jail.conf file. It should be something like this

[ssh]


enabled = false

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 6

Change enabled to true and feel free to add additional parameters that we saw above

[ssh]


enabled = true

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 3

findtime = 300

We reduced the number of tries from 6 to 3 and changed the default search window from 10 minutes to 5. Reload the configuration by restarting the service

# systemctl restart fail2ban

Adding New Jails

By default in the jail.conf file you will see entries for ssh, apache2 and other applications. What if you had a new application which you want included in fail2ban? It is quite simple as long as the application writes these errors into a log file and the error is written in a specific pattern.

For this example, let us assume there is a new application called foobar which runs on port 6005. When a user attempts to login and this action fails, an error is written into the /var/log/foobar-error.log file. The error message looks like this

LOGIN-ERROR: Request from 123.456.7.8 failed for user=admin@foobar.com with 
message=password failure

First we add the foobar application to jail.local

[foobar]

enabled = true

port = 6005

filter = foobar-filter

logpath = /var/log/foobar-error.log

maxretry = 5

Dissecting the configuration, we have enabled the application (enabled = true). Told fail2ban that the application listens on port 6005 uses the filter foobar-filter (more about filter in just a second), logs are in /var/log/foobar-error.log and catch errors when they occur 5 times.

Filters specify the regular expression that is applied to the log file to get information of the IP that is causing trouble and to ban it. Create a file foobar-filter under /etc/fail2ban/filter.d/ like this

[Definition]

failregex = ^LOGIN-ERROR: Request from <HOST> failed for user=.* with message=.*

fail2ban uses this expression to get the <HOST> which is then banned when multiple error messages are received within a 10 minute window.

Conclusion

Hope I was able to give you a good launchpad to understand and implement fail2ban on your server. If you have implemented fail2ban on your system and especially for a custom application, I would love to hear your thoughts and experience. Stay safe and Happy Holidays.

Popular Stories

RELAX & RECOVER
NETWORK DEBUGGING
FLAT FILE CMS
ADDING NEW USERS
Test Blog
STOP BRUTE FORCE ATTACKS

Subscribe Email