Fail2ban Installation and Configuration
What does fail2ban do
Fail2ban scans the log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then updates firewall rules to reject the IP addresses for a specified amount of time. Out of the box Fail2Ban comes with filters for various services such as (apache, curier, ftp, ssh, etc).
The only required dependency needed to run Fail2ban is Python. Python is installed by default in PCLinuxOS.
Here is a list of the main features available in Fail2ban.
Parses log files and looks for given patterns.
Executes commands when a pattern has been detected for the same IP address for more than X times. X can be changed.
After a given amount of time, executes another command in order to unban the IP address.
Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
Handles log files rotation.
Can handle multiple service (sshd, apache, vsftpd, etc).
Resolves DNS hostname to IP address (use with caution, disable by usedns = no).
fail2ban is in the Synaptic repository. Please install it using Synaptic
Once installed using Synaptic you will need to start the service.
In a console window as root enter the following
service fail2ban start
You should see something like this
[root@laptop dwmoar]# service fail2ban start Starting fail2ban: [ OK ] [root@laptop dwmoar]#
Checking the fail2ban server status
In a console window as the root user enter the following.
service fail2ban status
You should see something like this.
[root@laptop dwmoar]# service fail2ban status Fail2ban (pid 5166) is running... Status |- Number of jail: 1 `- Jail list: ssh-iptables [root@laptop dwmoar]#
Note: that the jail list you see may be different depending on the services you are using, as setup in the jail.conf file.
You can configure Fail2Ban using the /etc/fail2ban/fail2ban.conf file.
It is safe to leave it with the default settings.
Editing the /etcfail2ban/jail.conf file.
In the [DEFAULT] section we want to check the following variables
ignoreip = 127.0.0.1/8 <-- we want to allow our local machine
bantime = 600 <-- This is 600 seconds or 1 hour in time. Increase the number of seconds to extend the time the ip is banned from your system.
maxretry = 3 <-- The number of times the user can fail before getting banned. It is best not to set this to high.
In the [ssh-iptables] section we want to check the following
enabled = false <-- change this to true
action = <-- Make sure to change the dest to your email address
maxretry = 5 <-- Do not set this too high. Actually I reduced my to only 3 attempts
DO NOT change any other sections unless you are using that service. For example proftpd, vsftpd etc.
If you made any changes to the jail.conf file you will need to restart the fail2ban service.
In a console window as the root user, enter the following command
service fail2ban restart
You should see something like this
[root@laptop fail2ban]# service fail2ban restart Stopping fail2ban: [ OK ] Starting fail2ban: [ OK ] [root@laptop fail2ban]#
fail2ban is automatically setup to run in PCLinuxOS on startup or a reboot of your system.
For more information about fail2ban, You can access their online manual at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 Category: HowTo
If you are Using Very Secure FTP (VSFTP)
Fix 1: Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.
Fix 2: Add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf and restart the vsftpd service.