Fail2ban - Installation and Configuration

by YouCanToo

What does fail2ban do

Fail2ban scans the log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally, Fail2Ban then updates firewall rules to reject the IP addresses for a specified amount of time. Out of the box, Fail2Ban comes with filters for various services such as (apache, curier, ftp, ssh, etc).

System Requirements

The only required dependency needed to run Fail2ban is Python. Python is installed by default in PCLinuxOS.

Main Features

Here is a list of the main features available in Fail2ban.

• Client/Server architecture.
• Multi-threaded.
• Highly configurable.
• FAM/Gamin/Pyinotify support.
• Parses log files and looks for given patterns.
• Executes commands when a pattern has been detected for the same IP address for more than X times. X can be changed.
• After a given amount of time, executes another command in order to unban the IP address.
• Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
• Handles log files rotation.
• Can handle multiple service (sshd, apache, vsftpd, etc).
• Resolves DNS hostname to IP address (use with caution, disable by usedns = no).

Installation

fail2ban is in the Synaptic repository. Please install it using Synaptic. Once installed using Synaptic you will need to start the service.

In a console window as root enter the following

    service fail2ban start

You should see something like this

[root@laptop dwmoar]# service fail2ban start
Starting fail2ban: [ OK ]
[root@laptop dwmoar]#

Checking the fail2ban server status:

In a console window as the root user enter the following.

    service fail2ban status

You should see something like this.

[root@laptop dwmoar]# service fail2ban status
Fail2ban (pid 5166) is running...
Status
|- Number of jail:    1
`- Jail list:    ssh-iptables
[root@laptop dwmoar]#

Note: the jail list you see may be different, depending on the services you are using, as setup in the jail.conf file.

Configuration

You can configure Fail2Ban using the /etc/fail2ban/fail2ban.conf file.

It is safe to leave it with the default settings.

Editing the /etcfail2ban/jail.conf file: In the [DEFAULT] section we want to check the following variables

ignoreip = 127.0.0.1/8 <-- we want to allow our local machine

bantime = 3600 <-- This is 3600 seconds or one hour in time. Increase the number of seconds to extend the time the ip address is banned from your system.

maxretry = 3 <-- The number of times the user can fail before getting banned. It is best not to set this value too high.

In the [ssh-iptables] section we want to check the following:

enabled = false <-- change this to true

action = <-- Make sure to change the dest to your email address

maxretry = 5 <-- Do not set this too high. Actually I reduced my to only 3 attempts

DO NOT change any other sections unless you are using that service. For example proftpd, vsftpd etc.

If you made any changes to the jail.conf file, you will need to restart the fail2ban service.

In a console window as the root user, enter the following command

You should see something like this

[root@laptop fail2ban]# service fail2ban restart
Stopping fail2ban:      [ OK ]
Starting fail2ban:       [ OK ]
[root@laptop fail2ban]#

Running fail2ban

fail2ban is automatically setup to run in PCLinuxOS on startup or a reboot of your system.

Setup fixes

If you are Using Very Secure FTP (VSFTP):

Fix 1: Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.

Fix 2: Add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf and restart the vsftpd service.

More Information

For more information about fail2ban, You can access their online manual at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8