Blocking IP Addresses with False Intentions using Fail2ban
Fail2ban is a service that scans log files and ban IPs that shows malicious signs of multiple password failures, seeking for exploits, etc. It updates firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary action (e.g. sending an email) can also be configured. Fail2Ban also comes with some out of the box filters for various services as apache, ftp, ssh, etc.
Fail2Ban can reduce the rate of incorrect authentications attempts however it cannot eliminate the risk presented by weak authentication. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
Installation:
To install Fail2Ban on your system, run following command:
[shell]sudo apt-get install fail2ban[/shell]
Configuration:
Create a local copy of configuration file. This local configuration file allows you to make all changes that you want to enable.
[shell]sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local[/shell]
Open up the the new fail2ban configuration file and edit below given sections into it.
[shell]
vim /etc/fail2ban/jail.local[/shell]
Configure the Default Section in Jail.Local
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = -1 maxretry = 5
- Write the IP address into the ignoreip line that you want to white list. You can give multiple IPs, space separated and make sure that they are not locked out.
- bantime defines the time (in seconds), for which the IP will be blocked. You can change that timing as per your requirement. If the bantime is set to -1, IP will not get unblocked automatically once it is blocked.
- maxretry defines maximum number of wrong login attempt after which, the defined IP will be blocked for the given bantime.
Configure the SSH Section in Jail.Local
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4
- enabled : enabled true indicates that SSH protection is enabled.
- port : define the port on which ssh is working; default SSH works on port no. 22.
- logpath : define the log path of the SSH login attempts.
- maxretry : defines maximum number of wrong login attempt after which the mentioned IP/s will be blocked for the given bantime.
Configure the FTP Section in Jail.Local
[vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log maxretry = 5
After configuring the fail2ban, restart the service to apply changes.
[shell]sudo service fail2ban restart[/shell]
You can also check the rules that fail2ban is appliyng to block IPs in IP table.
[shell]sudo iptables -L[/shell]
You can check the logs of the fail2ban in /var/log/fail2ban.log file. It contains the information of blocked IPs too.
Pingback: Block admin login page attack using Fail2ban | TO THE NEW Blog