One of the most common attack vectors against servers is brute force login attempts. This is where attackers try to access your server, trying infinite combinations of usernames and passwords.
For these kinds of problems the fastest and most effective solution is to limit the number of attempts and block access to the user or that IP for a certain time. It is also important to know that for this there are also open source applications specifically designed to defend against this type of attack.
In today's post, I will introduce you one is called Fail2Ban. Originally developed by Cyril Jaquier in 2004, Fail2Ban is an intrusion prevention software framework that protects servers from brute force attacks.
About Fail2ban
Fail2ban scans log files (/ var / log / apache / error_log) and prohibits IPs that show malicious activity, like too many faulty passwords and searching for vulnerabilities etc.
En general, Fail2Ban is used to update the firewall rules to reject IP addresses for a specified amount of time, although any other arbitrary action (for example, send an email) could also be configured.
Installing Fail2Ban on Linux
Fail2Ban is found in most of the repositories of the main Linux distributions and more specifically in the most used for use on servers, such as CentOS, RHEL and Ubuntu.
In the case of Ubuntu, just type the following for installation:
sudo apt-get update && sudo apt-get install -y fail2ban
While in the case of Centos and RHEL, they must type the following:
yum install epel-release
yum install fail2ban fail2ban-systemd
If you have SELinux it is important to update the policies with:
yum update -y selinux-policy*
Once this is done they should know in the foreground that the Fail2Ban configuration files are in / etc / fail2ban.
The configuration of Fail2Ban is mainly divided into two key files; these are fail2ban.conf and jail.conf. fail2ban.confes the larger Fail2Ban configuration file, where you can configure settings such as:
- The log level.
- The file to log in.
- The process socket file.
- The file pid.
jail.conf is where you configure options like:
- The configuration of the services to defend.
- How long to ban if they should be attacked.
- The email address to send reports.
- The action to take when an attack is detected.
- A predefined set of settings, such as SSH.
Configuration
Now we are going to move on to the configuration part, The first thing we are going to do is a backup of our jail.conf file with:
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And we proceed to edit now with nano:
nano /etc/fail2ban/jail.local
Inside we go to the [Default] section where we can make some adjustments.
Here in the "ingoreip" part are the IP addresses that will be left out and they will be completely ignored by Fail2Ban, that is basically the IP of the server (the local one) and the others that you consider should be ignored.
From there on out the other IPs that have failed accesses will be at the mercy of being banned and wait for the number of seconds that it will be banned (by default it is 3600 seconds) and that fail2ban only acts after 6 failed attempts
After the general configuration, we will now indicate the service. Fail2Ban already has some predefined filters for various services. So just do some adaptations. Here is an example:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
With the relevant changes made, you will finally need to reload Fail2Ban, running:
service fail2ban reload
systemctl enable firewalld
systemctl start firewalld
With this done, let's do a quick check to see that Fail2Ban is running:
sudo fail2ban-client status
Unban an IP
Now that we have successfully banned an IP, what if we want to unban an IP? To do that, we can again use fail2ban-client and tell it to unban a specific IP, as in the example below.
sudo fail2ban-client set ssh unbanip xxx.xxx.xx.xx
Where "xxx ...." It will be the IP address that you indicate.