How to use Fail2ban to secure your server against brute-force attacks.

share on:

Fail2ban is an intrusion prevention software that protects servers from brute-force attacks.It can protect your SSH service against Brute force attacks by blocking the source IP, putting a break on the attack.This post is about how to configure fail2ban to secure your server.

we will start by installing fail2ban in our server.

 

Install Fail2ban on CentOS 7

we will install fail2ban from Extra Packages for Enterprise Linux or EPEL for short.

we will install fail2ban with additional packages to support systemd, sendmail for mail notifications and firewalld.

 

[root@debyum ~]# yum update
[root@debyum ~]# yum install epel-release -y 
[root@debyum ~]# yum install fail2ban fail2ban-systemd fail2ban-firewalld fail2ban-sendmail -y

 

we will also update these SELinux security policy packages, if there’s any update available.

  • selinux-policy.noarch
  • selinux-policy-targeted.noarch
[root@debyum ~]# yum update selinux-policy*

 

Enable the service.

[root@debyum ~]# systemctl enable fail2ban

 

 

Configuring Fail2ban.

All the files of fail2ban service are stored in /etc/fail2ban directory. here’s a list of files in /etc/fail2ban directory.

[root@debyum ~]# ls -l /etc/fail2ban/
total 64
drwxr-xr-x. 2 root root  4096 Oct 15 12:23 action.d
-rw-r--r--. 1 root root  2328 Aug  1  2015 fail2ban.conf
drwxr-xr-x. 2 root root  4096 Sep 12  2015 fail2ban.d
drwxr-xr-x. 3 root root  4096 Oct 15 12:48 filter.d
-rw-r--r--. 1 root root 18562 Sep 12  2015 jail.conf
drwxr-xr-x. 2 root root  4096 Oct 15 12:40 jail.d
-rw-r--r--. 1 root root  1939 Aug  1  2015 paths-common.conf
-rw-r--r--. 1 root root   642 Aug  1  2015 paths-debian.conf
-rw-r--r--. 1 root root   743 Aug  1  2015 paths-fedora.conf
-rw-r--r--. 1 root root  1174 Aug  1  2015 paths-freebsd.conf
-rw-r--r--. 1 root root   290 Aug  1  2015 paths-osx.conf

 

Jail.conf is the main configuration file but we won’t edit this file as it can be overwritten by package upgrades.

To avoid that we can create a local configuration file at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf.

we will use /etc/fail2ban/jail.local and will place our configuration in this file.Any values defined in this file will override the same values of jail.conf.

 

First we will stop fail2ban from using dns.

[root@debyum fail2ban]# vi jail.local
[DEFAULT]

usedns = no

 

we will set the list of IP’s we want fail2ban to ignore. These can be ip’s of your personal computer or other devices that you trust.

 

we can do this by defining ignoreip variable

[root@debyum -]# cd /etc/fail2ban
[root@debyum fail2ban]# vi jail.local
......
......
ignoreip = 127.0.0.1/8 192.168.122.0/24

 

If you have many services configured as jails in fail2ban and  want to whitelist IP’s only for specific jails then you can do this with the help of fail2ban-client command.

fail2ban-client set JAIL addignoreip 192.168.122.0/24

 

for example if you want to whitelist IP’s only for SSH then use.

fail2ban-client set sshd addignoreip 192.168.122.0/24

 

we will  set the bantime parameter which  sets the length of time that a client will be banned when they fail to authenticate correctly. we will set it to 600 seconds or 10 mins.

 

Edit jail.local file and add these lines.

[root@debyum fail2ban]# vi jail.local
......
......
# Ban hosts for one hour:
bantime = 600

 

now we will use maxtry and findtime to set a condition in which a user can have max of 3 ( maxtry) attempts in 10 mins ( findtime) . After 3 failed attempts the user will be banned for 10 mins ( bantime ).

 

Edit jail.local file and add these lines.

[root@debyum fail2ban]# vi jail.local
......
......
# Fail2ban will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.
maxtry = 3  
findtime = 600

 

You should set maxtry  as low you can afford and set bantime as high you want.

If you running nginx and have password protected some part of website that you want to protect against brute-force attacks, then enable [nginx-http-auth] to protect this service.

[root@debyum fail2ban]# vi jail.local
......
......
[nginx-http-auth]
enabled = true

 

In short your jail.local should look like this.

cat jail.local
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

maxtry = 5
findtime = 600

ignoreip = 127.0.0.1/8 192.168.122.0/24

[nginx-http-auth]
enabled = true

 

 

fail2ban.filtersystemd Issue.

There’s an issue in fail2ban working with systemd which can be resolved with a minor change in /etc/fail2ban/jail.d/00-systemd.conf file.

 

The error message is :

Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.

 

To solve this “error” change the value of backend variable from systemd to auto.

[root@debyum fail2ban]# cat jail.d/00-systemd.conf
[DEFAULT]
backend=auto

 

 

Confiuring SSH.

Now we will enable SSH jail in fail2ban and then we will configure the SSH service parameters to make it work.

The best way to configure a service in fail2ban is to create dedicated file for that service in  jail.d directory.

So we will create a file named sshd.local in jail.d directory.

[root@debyum fail2ban]# vi jail.d/sshd.local
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 600

 

To check If we have configured everything correctly, restart the fail2ban service.

[root@debyum fail2ban]# systemctl restart fail2ban.service

 

And then use fail2ban-client status to check the status of service.

[root@debyum fail2ban]# fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	nginx-http-auth, sshd

 

 

Configuring Mail notifications for fail2ban

First we need to install sendmail.

[root@debyum fail2ban]#  yum install sendmail -y

 

We can configure the fail2ban to notify the owner about the failed authentication attempts or Brute force attacks.

To configure mail notifications in fail2ban, edit jail.local file:

[DEFAULT]
bantime = 600
sender = fail2ban@debyum.com
destemail = engy@debyum.com
action = %(action_mwl)s

 

Restart the fail2ban service.

[root@debyum fail2ban]# systemctl restart fail2ban.service

 

To check the log file:

sudo tail /var/log/fail2ban.log

 

 

Conclusion

Fail2ban is very easy to configure and very useful in protecting your services that uses authentication against brute-force attacks. Configure it carefully.

If you want to learn more about hardening SSH service in detail than you you should read this post.

That’s all you need to know on How to configure Fail2ban to secure your server.

I have tried to cover all the basic to advance concepts with their examples. Still if I have made any kind of mistake or missed anything please update us through comment box. I will keep updating the same based on feedback’s received.

share on:
engy

engy

Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: