CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F14 Security Fail2Ban

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
Forums
Wiki
F14 Fail2Ban


NOTE:  This page is still a work in progress. If you notice a problem, please send me an e-mail!

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

I am finding that Fail2Ban is even more versatile than BlockHosts, and now that BlockHosts is no longer in active development, I have begun using Fail2Ban in earnest. Most people use Fail2Ban to stop script kiddies and ssh brute force attacks, but it can be used to monitor many other daemons as well.

To install Fail2Ban, use yum:

~> sudo yum install Fail2Ban
Press 'y' when prompted to install the programs and any additional dependencies.

/etc/fail2ban/fail2ban.conf is responsible for general settings for Fail2Ban, but more specific settings can be changed in /etc/failban/jail.conf. However, it is recommended that this file not be directly changed. Instead, make a local copy called jail.local, which will override the jail.conf file:
~> sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

ssh Filtering


Next, open up the /etc/fail2ban/jail.local file in a text editor. Under the [DEFAULT] section, add any IP addresses you wish to whitelist, the ban time (in seconds), the maximum retry rate, and the backend used to get files modification:
[DEFAULT]

# "ignoreip" can  be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 [IP Address #1] [IP Address #2] [Etc.]
bantime = 86400
maxretry = 5
backend = polling
IP addresses should be separated by a space.  In  this case, 86400 seconds corresponds to 1 day, which can easily be increased or decreased depending upon your needs.

Next scroll down to the [ssh-iptables] section and make sure you have enabled the filter and that the logpath is pointing toward the right location:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH,port=ssh,protocol=tcp]
           sendmail-buffered[name=SSH, lines=5, dest=root@localhost.localdomain,
           sender=fail2ban@mail.com]
logpath  = /var/log/secure
bantime  = 86
maxretry = 3

Apache Filtering


To provide some Apache filtering using ModSecurity and prevent things like PHP injection attacks, add the following in the /etc/fail2ban/jail.local file:
[apache-modsec]

enabled  = true
port     = http,https
filter   = apache-modsec
action   = iptables-multiport[name="Apache ModSec", port="http,https"]
           sendmail-buffered[name="Apache ModSec", lines=5,
           dest=root@localhost.localdomain, sender=fail2ban@mail.com]
logpath  = /var/log/httpd/error_log
bantime  = 86400
maxretry = 3

[apache-noscript]

enabled  = true
port     = http,https
filter   = apache-noscript
action   = iptables-multiport[name="Apache No-Script", port="http,https"]
           sendmail-buffered[name="Apache No-Script", lines=5,
           dest=root@localhost.localdomain, sender=fail2ban@mail.com]
logpath  = /var/log/httpd/error_log
bantime  = 86400
maxretry = 3
Since there is no filter in Fail2Ban setup for ModSecurity, create a /etc/fail2ban/filter.d/apache-modsec.conf file with the following information:
# Fail2Ban Apache ModSecurity Configuration File

[Definition]
#failregex = [[]client <HOST>[]] ModSecurity: Warning. Operator LT matched 20
failregex = \[.*?\]\s[\w-]*\s<HOST>\s
ignoreregex =
Save and exit.

This will check the /var/log/httpd/error_log for problems. Since ModSecurity automatically logs to this file, Fail2Ban will check it for problems and begin banning IP addresses, as necessary.


Dovecot Filtering

To provide some Dovecot filtering using ModSecurity and prevent things like PHP injection attacks, add the following in the /etc/fail2ban/jail.local file:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/dovecot/dovecot.log
maxretry = 5
findtime = 1200
bantime = 86400
Save and exit. Then create a filter file called /etc/fail2ban/filter.d/dovecot.conf:
[Definition]
failregex = (?: pop3-login
|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
Save and exit.


Restarting and Monitoring Fail2Ban

Next restart Fail2Ban:
~> sudo service fail2ban restart
If everything is setup properly, you should see something similar to:
Stopping fail2ban:                                         OK  ]
Starting fail2ban:                                         OK  ]
You can now check the status of each jail cell you have created using fail2ban-client:
~> sudo fail2ban-client status
Status
|- Number of jail:    3
`- Jail list:        apache-modsec, apache-noscript, ssh-iptables
To examine a particular jail:
~> sudo fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
|  |- File list:    /var/log/secure
|  |- Currently failed: 1
|  `- Total failed:     5
`- action
   |- Currently banned: 1
   |  `- IP list:       98.224.72.209
   `- Total banned:     1
To examine the firewall, check IPTables:
~> sudo iptables -L -n
You will see a list of IP addresses that are currently being dropped as a result of Fail2Ban. If you notice an IP address that should not be banned,
~> sudo iptables -D fail2ban-SSH -s [IP Address] -j DROP
Substitute the public IP address for [IP  Address]. This will remove ban from IPTables.