27
loading...
Automate server intrusion detection and banning with Fail2ban
A Fail2Ban installation monitors server access logs and automatically bans IP addresses of bots and attacking users in iptables. Fail2Ban analyses server logs and identifies a pattern where a suspicious user or bot is trying to access restricted areas on the server. Brute force attacks repeatedly fail and use combinations of login credentials on after another. Fail to ban can detect failed login attempts on SSH and Apache webserver.
Installation is straight forward update
apt-get and run instal fail2ban as a root user. Theses are Debian/Ubuntu commands for CentOS yum would replace apt-get and paths/locations might differ for configuration files. Check this tutorial for non-Debian operating systems.sudo apt-get update
sudo apt-get install fail2banFail2Ban can keep server admin updated with emails but to keep it simple, let’s not configure this additional feature. The configuration file /etc/fail2ban/fail2ban.conf is superseded by fail2ban.local file. So this local config file needs to be created to keep additional settings. Here is part of the default installation config file.
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
# Values: [ LEVEL ] Default: ERROR
#
loglevel = INFO
logtarget = /var/log/fail2ban.log
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400Fail2ban focuses on failed SSH login attempts by default. Using custom config file jails for HTTP web server like Apache, FTP and mail server can be enabled.
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
maxretry = 3
findtime = 600
bantime = 1hSo here we have set up fail2ban to look apache2 error logs for brute force attack using one password after another. Three failed login attempts within 600 seconds would lead to an IP address ban for an hour. Restart fail2ban for the changes to take effect sudo systemctl restart fail2ban. To enable fail2ban service to start with boot use sudo systemctl enable fail2ban.
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
ignoreip = localhost or an IPFail2ban analyses errors of not found .php, .asp, .pl scripts. Client attempting to exploit known scripts are banned.
[apache-overflows]
logpath = %(apache_error_log)s
maxretry = 2Detects apache buffer overflow attempts by the client using long suspicious URLs.
[apache-nohome]
port = http,httpsDetects failures to find a home directory on a server.
[apache-botsearch]
enabled = true
port = http,https
maxretry = 2Alternative to apache-noscript filter this filter aims at blocking specific URLs, script or webservices.
Beware, access logs of busy websites can be huge. Setting Fail2ban to monitor access log can have a negative impact on server performance. So think about costs and benefits of access log jails before enabling them.
Bans bots identified as spammer robots crawling the web for email addresses.
[apache-badbots]
port = http,https
logpath = %(apache_access_log)sMatches and blocks fopen URL PHP injection attacks
[php-url-fopen]
port = http,httpsJails for roundcude, openwebmail and horde are available, just add the location of log file in these jails.
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
#if roundcube logs to journal then use following.
#backend = %(syslog_backend)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.logError logs have multiple failed requests to WordPress login URLs or files like wp_login.php. This blog post creates a custom regular expression to scan failed WordPress logins in the error log. Using this RegEx a new filter file is created in Fail2ban directory. Once the filter is in place a [wordpress] jail can be added in jail.local. You can easily create your own filters with custom RegEx. Try online regular expression services like regex101.com with your error log to create a regular expression.
Use Fail2ban client to setup configuration or check status of jail and banned IP addresses.
sudo fail2ban-client statussudo fail2ban-client status apachesudo fail2ban-client set apache banip x.x.x.xsudo fail2ban-client set apache unbanip x.x.x.xsudo systemctl restart fail2bansudo iptables -Lsudo systemctl enable fail2ban27