Fail2ban setup

From PCLinuxOSHelp Knowledge Base
Jump to: navigation, search

Fail2ban Installation and Configuration

Fail2ban-home.jpg

What does fail2ban do

Fail2ban scans the log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then updates firewall rules to reject the IP addresses for a specified amount of time. Out of the box Fail2Ban comes with filters for various services such as (apache, curier, ftp, ssh, etc).

System Requirements:

The only required dependency needed to run Fail2ban is Python. Python is installed by default in PCLinuxOS.

Main Features:

Here is a list of the main features available in Fail2ban.

Client/Server architecture.
Multi-threaded.
Highly configurable.
FAM/Gamin/Pyinotify support.
Parses log files and looks for given patterns.
Executes commands when a pattern has been detected for the same IP address for more than X times. X can be changed.
After a given amount of time, executes another command in order to unban the IP address.
Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
Handles log files rotation.
Can handle multiple service (sshd, apache, vsftpd, etc).
Resolves DNS hostname to IP address (use with caution, disable by usedns = no).

Installation:

fail2ban is in the Synaptic repository. Please install it using Synaptic

Once installed using Synaptic you will need to start the service.

In a console window as root enter the following

service fail2ban start

You should see something like this

[root@laptop dwmoar]# service fail2ban start
Starting fail2ban:        [  OK  ]
[root@laptop dwmoar]#

Checking the fail2ban server status

In a console window as the root user enter the following.

service fail2ban status

You should see something like this.

[root@laptop dwmoar]# service fail2ban status
Fail2ban (pid 5166) is running...
Status
|- Number of jail:      1
`- Jail list:           ssh-iptables
[root@laptop dwmoar]# 

Note: that the jail list you see may be different depending on the services you are using, as setup in the jail.conf file.

Configuration:

You can configure Fail2Ban using the /etc/fail2ban/fail2ban.conf file.

It is safe to leave it with the default settings.

Editing the /etcfail2ban/jail.conf file.

In the [DEFAULT] section we want to check the following variables

ignoreip = 127.0.0.1/8 <-- we want to allow our local machine

bantime = 600 <-- This is 600 seconds or 1 hour in time. Increase the number of seconds to extend the time the ip is banned from your system.

maxretry = 3 <-- The number of times the user can fail before getting banned. It is best not to set this to high.


In the [ssh-iptables] section we want to check the following

enabled = false <-- change this to true

action = <-- Make sure to change the dest to your email address

maxretry = 5 <-- Do not set this too high. Actually I reduced my to only 3 attempts

DO NOT change any other sections unless you are using that service. For example proftpd, vsftpd etc.

If you made any changes to the jail.conf file you will need to restart the fail2ban service.

In a console window as the root user, enter the following command

service fail2ban restart

You should see something like this

[root@laptop fail2ban]# service fail2ban restart
Stopping fail2ban:            [  OK  ]
Starting fail2ban:            [  OK  ]
[root@laptop fail2ban]# 

Running fail2ban:

fail2ban is automatically setup to run in PCLinuxOS on startup or a reboot of your system.

More Information

For more information about fail2ban, You can access their online manual at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 Category: HowTo

Setup fixes:

If you are Using Very Secure FTP (VSFTP)

Fix 1: Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.

Fix 2: Add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf and restart the vsftpd service.