jump to navigation

Securing a Linux box with fail2ban and iptables — ssh banner January 16, 2011

Posted by Tournas Dimitrios in Linux, Linux admin tools.

Fail2Ban is a limited intrusion detection/prevention system. It works by scanning log files and then taking action based on the entries in those logs. Although fail2ban script runs as a daemon (by default ) to ban an IP address after too many failed login attempts , it can also be used from the command line for testing purposes .Use it for blocking failed login attempts for SSH, ProFTP and Postfix. It installs with ssh protection enabled by default. The default /etc/fail2ban.conf contains examples for many different services and is well-commented, so it’s easy to set it up for your own needs.

Fail2ban is an intrusion prevention framework written in the Python programming language , it’s main purpose is to prevent brute force login attacks. It is typically set up to unban a blocked host within a certain period, so as to not “lock out” any genuine connections that may have been temporarily mis-configured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack. This article will demonstrate how to install and configure fail2ban on a CentOs 5.x box .The installation is made with the yum package installer (the rpm is provided from EPEL) .

  1. install the package : yum install fail2ban
  2. configuring : All Fail2ban configuration files are located under the /etc/fail2ban directory , so use your favorite editor to custom your configurtations .It is possible to configure the server using commands send to it by fail2ban-client . The available commands are listed on the man page of fail2ban-client , please refer to it .
  3. Configure: edit jail.conf file replace generic email with your email:
    • /etc/fail2ban/jail.conf
    • /etc/fail2ban/action.d/mail.conf : dest = xx@gmail.com
  4. Testing : fail2ban-client -d
  5. Start fail2ban: fail2ban-client start
  6. restart fail2ban: fail2ban-client reload
  7. make fail2ban to start on boot: Fail2ban shouldn’t run when iptables isn’t running, so using “chkconfig – -level=2345 fail2ban on” is the recomented way (Linux will handle the priority of the services at start / stop)
  8. check log file : less /var/log/fail2ban.log

According to the official website , the fail2ban daemon must be handled via its client utility ” fail2ban-client ” and not directly .Read the man page ” man fail2ban-client” .

More notes about the configurations :

  • /etc/fail2ban/fail2ban.conf : Main purpose of this file is to configure fail2ban log related directives (log-level , log-target )
  • /etc/fail2ban/jail.conf : This file contains the declaration of the service configurations. This configuration file is broken up into different contexts.
    • The DEFAULT settings apply to all sections.

    ignoreip =
    maxretry = 5
    findtime = 600
    bantime = 600

    The DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).

    • Specific service configuration sections : Following is an example of the ssh services section.

    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    action = iptables

    • enabled : Enable the fail2ban checking for ssh service
    • port: service port ( referred in /etc/services file )
    • filter: Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’.
    • logpath: The log file that fail2ban checks for failed login attempts.
    • Action: This option tells fail2ban which action to take once a filter matches. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.
  • fail2ban actions : The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.
    • mail.conf : defines the rules for the mail acrion
    • iptables.conf : defines the rules that will be added on the iptables

Alternative solutions :

References :


1. Techie Talks - December 22, 2011

I like using fail2ban, it helps me a lot especially with brute force attacks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s