Linux Administrator

How to Install and Setup Fail2Ban On Linux

Fail2ban
mm
Written by Santosh Prasad

Fail2ban is an intrusion prevention software, framework which protect server against brute force attacks. It’s Written in Python programming language. Fail2ban work based on auth log files, by default it will scan the auth log files such as /var/log/auth.log, /var/log/apache/access.log, etc.. and bans IPs that show the malicious signs, too many password failures, seeking for exploits, etc.

Generally fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. Also it will send mail notification too. Fail2Ban comes with many filters for various services such as ssh, apache, nginx, squid, named, mysql, nagios, etc,. Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. this is one of the security for server which will prevent brute force attacks.

In this article I will show how to install and setup Fail2Ban on Linux.

Install Fail2Ban on Linux

Run the below command to install Fail2Ban on your Linux machines.

On Debian/Ubunut :

$ sudo apt install fail2ban

On Fedora :

# dnf install fail2ban

On CentOS/RHEL :

Enable EPEL Repository or RPMForge Repository and use YUM Command to install Terminator.

# yum install fail2ban

On Arch Linux :

$ sudo pacman -S fail2ban

On openSUSE :

$ sudo zypper in fail2ban

Configure Fail2Ban

By default Fail2ban keeps all the configuration files in /etc/fail2ban/ directory. The main configuration file is jail.conf, it contains a set of pre-defined filters. So, don’t edit the file and it’s not advisable because whenever new update comes the configuration get reset to default.

Create a new configuration file called jail.local in the same directory and modify as per your wish.

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

By default most of the option was configured perfectly and if you want to enable access to any particular IP then you can add the IP address into ignoreip area, for more then one IP give a speace between the IP address.

The DEFAULT section contains the basic set of rules that Fail2Ban follow and you can adjust any parameter as per your wish.

# nano /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.100/24
bantime  = 600
findtime  = 600
maxretry = 3
destemail = [email protected]

Where;

  • ignoreip : This section allow us to whitelist the list of IP address and Fail2ban will not ban a host which matches an address in this list
  • bantime : The number of seconds that a host is banned
  • findtime : A host is banned if it has generated “maxretry” during the last “findtime” seconds
  • maxretry : “maxretry” is the number of failures before a host get banned.

Configure Service

Fail2ban comes with set of pre-defined filters for various services such as ssh, apache, nginx, squid, named, mysql, nagios, etc,. We don’t want to make any changes on configuration file and just add following line enabled = true in the service area to enable jail to any services. To disable make the line to false instead of ture.

# SSH servers
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Where;

  • enabled : Determines whether the service is turned on or off.
  • port : It’s refering to the particular service. If using the default port, then the service name can be placed here. If using a non-traditional port, this should be the port number.
  • logpath : Gives the location of the service’s logs./li>
  • backend : “backend” specifies the backend used to get files modification.

Restart Fail2Ban

Now restart the Fail2Ban service after making all changes to take effect.

For SysVinit Systems :

# service fail2ban restart

For systemd Systems :

# systemctl restart fail2ban.service

Check Fail2Ban iptables rules

You can check whether Fail2Ban iptables rules are added into firewall using below command.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-apache-auth  tcp  --  anywhere             anywhere             multiport dports http,https
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports 1234
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1234

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-apache-auth (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere      

Test Fail2Ban

I have made some failed attempts to test this. To confirm this, I’m going to verify the /var/log/fail2ban.log file.

2018-06-05 14:43:22,901 fail2ban.server         [7141]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-06-05 14:43:22,987 fail2ban.database       [7141]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-06-05 14:43:22,996 fail2ban.database       [7141]: WARNING New database created. Version '2'
2018-06-05 14:43:22,998 fail2ban.jail           [7141]: INFO    Creating new jail 'sshd'
2018-06-05 14:43:23,002 fail2ban.jail           [7141]: INFO    Jail 'sshd' uses poller {}
2018-06-05 14:43:23,019 fail2ban.jail           [7141]: INFO    Initiated 'polling' backend
2018-06-05 14:43:23,019 fail2ban.filter         [7141]: INFO    Set maxRetry = 5
2018-06-05 14:43:23,020 fail2ban.filter         [7141]: INFO    Set jail log file encoding to UTF-8
2018-06-05 14:43:23,020 fail2ban.filter         [7141]: INFO    Added logfile = /var/log/auth.log
2018-06-05 14:43:23,021 fail2ban.actions        [7141]: INFO    Set banTime = 600
2018-06-05 14:43:23,021 fail2ban.filter         [7141]: INFO    Set findtime = 600
2018-06-05 14:43:23,022 fail2ban.filter         [7141]: INFO    Set maxlines = 10
2018-06-05 14:43:23,070 fail2ban.server         [7141]: INFO    Jail sshd is not a JournalFilter instance
2018-06-05 14:43:23,081 fail2ban.jail           [7141]: INFO    Jail 'sshd' started
2018-06-05 14:43:23,763 fail2ban.filter         [7141]: INFO    [sshd] Found 103.5.134.167
2018-06-05 14:43:23,763 fail2ban.filter         [7141]: INFO    [sshd] Found 103.5.134.167
2018-06-05 14:43:23,764 fail2ban.filter         [7141]: INFO    [sshd] Found 181.129.54.170
2018-06-05 14:43:23,764 fail2ban.filter         [7141]: INFO    [sshd] Found 181.129.54.170
2018-06-05 14:43:23,765 fail2ban.filter         [7141]: INFO    [sshd] Found 181.129.54.170
2018-06-05 14:43:23,765 fail2ban.filter         [7141]: INFO    [sshd] Found 181.129.54.170
2018-06-05 15:19:06,192 fail2ban.server         [7141]: INFO    Stopping all jails
2018-06-05 15:19:06,874 fail2ban.jail           [7141]: INFO    Jail 'sshd' stopped
2018-06-05 15:19:06,879 fail2ban.server         [7141]: INFO    Exiting Fail2ban
2018-06-05 15:19:07,123 fail2ban.server         [8528]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-06-05 15:19:07,123 fail2ban.database       [8528]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-06-05 15:19:07,126 fail2ban.jail           [8528]: INFO    Creating new jail 'sshd'
2018-06-05 15:19:07,129 fail2ban.jail           [8528]: INFO    Jail 'sshd' uses poller {}
2018-06-05 15:19:07,141 fail2ban.jail           [8528]: INFO    Initiated 'polling' backend
2018-06-05 15:19:07,142 fail2ban.actions        [8528]: INFO    Set banTime = 60
2018-06-05 15:19:07,142 fail2ban.filter         [8528]: INFO    Set findtime = 60
2018-06-05 15:19:07,142 fail2ban.filter         [8528]: INFO    Set jail log file encoding to UTF-8
2018-06-05 15:19:07,143 fail2ban.filter         [8528]: INFO    Set maxRetry = 3
2018-06-05 15:19:07,144 fail2ban.filter         [8528]: INFO    Added logfile = /var/log/auth.log
2018-06-05 15:19:07,144 fail2ban.filter         [8528]: INFO    Set maxlines = 10
2018-06-05 15:19:07,189 fail2ban.server         [8528]: INFO    Jail sshd is not a JournalFilter instance
2018-06-05 15:19:07,195 fail2ban.jail           [8528]: INFO    Jail 'sshd' started
2018-06-05 15:20:03,263 fail2ban.filter         [8528]: INFO    [sshd] Found 103.5.134.167
2018-06-05 15:20:05,267 fail2ban.filter         [8528]: INFO    [sshd] Found 103.5.134.167
2018-06-05 15:20:12,276 fail2ban.filter         [8528]: INFO    [sshd] Found 103.5.134.167
2018-06-05 15:20:12,380 fail2ban.actions        [8528]: NOTICE  [sshd] Ban 103.5.134.167
2018-06-05 15:21:12,659 fail2ban.actions        [8528]: NOTICE  [sshd] Unban 103.5.134.167

To Check list of jail enabled, run the following command.

# fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	apache-auth, sshd

To get the blocked Ip address by running following command.

# fail2ban-client status ssh
Status for the jail: ssh
|- filter
|  |- File list:    /var/log/auth.log 
|  |- Currently failed: 1
|  `- Total failed: 3
`- action
   |- Currently banned: 1
   |  `- IP list:   192.168.1.115 
   `- Total banned: 1

To remove blocked IP address from Fail2Ban, run the following command.

 # fail2ban-client set ssh unbanip 192.168.1.115
Thank you! for visiting Look Linux.

If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website www.looklinux.com. To become an author at Look Linux Submit Article. Stay connected to Facebook.

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Leave a Comment