Fail2ban - Protecting linux servers
Jan 17, 2021
As soon an instance is created on any cloud provider (Aws, Google Cloud, Azure, etc.), and a port for some common service is open to the world (like SSH) we will notice some brute force attack. Fail2ban is a tool to prevent brute force attacks; it monitors log files and creates firewall rules to block attackers' IPs.
The most common usage is to protect the SSH service, especially when we cannot restrict access to port 22 to specific IPs, but it is also useful to monitor services like postfix or apache.
Installing
Fail2ban is easily installed using a package manager like apt or yum:
debian: sudo apt-get update && apt install -y fail2ban
centos: sudo yum install -y epel-release && yum install -y fail2ban
After installing, let’s ensure that the service is enabled on system initialization:
sudo systemctl enable fail2ban
Customizing
It is recommended to put the customizations on /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/customisation.local instead of modifying the /etc/fail2ban/jail.conf file directly.
Let’s first create it from the default conf file:
sudo cp -p /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Some useful parameters are: bantime findtime maxretry
Customizing services
Going further in jail.local file we will find some services. Let’s take for example the apache-auth.
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
First to enable it we need to append enabled = true to the config:
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
We also have the values for port and a reference to a logpath, so in case of a custom logging location we need to modify this value. But, where is this apache_error_log defined? Well, it will depend on the distro we’re using. We can check the paths-*.conf files:
root@7c7485c95e10:/# ls /etc/fail2ban/paths-*
/etc/fail2ban/paths-arch.conf /etc/fail2ban/paths-debian.conf
/etc/fail2ban/paths-common.conf /etc/fail2ban/paths-opensuse.conf
Use can use grep to discover in which file is this apache_error_log defined
root@7c7485c95e10:/# grep "apache_error_log" /etc/fail2ban/paths-*.conf
/etc/fail2ban/paths-arch.conf:apache_error_log = /var/log/httpd/*error_log
/etc/fail2ban/paths-common.conf:apache_error_log = /var/log/apache2/*error.log
I’m using Debian so in this case, the apache_error_log is defined in paths-common.conf, however, if I were using arch Linux I would need to check the paths-arch.conf.
We can also set the bantime, maxretry and findtime per service. A more complete config would look like:
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
banaction = iptables
maxretry = 3
findtime = 5m
bantime = 1d
ignoreip = 127.0.0.1/8
Restart and monitor it
After doing all the customizations let’s restart fail2ban: sudo systemctl restart fail2ban;
To monitor the activity we can check the fail2ban logs: tail -f /var/log/fail2ban.log;