How to block brutforce attack using fail2ban in Linux
Fail2ban is a open source its used to monitor the log files (Ex:/var/log/auth.log,/var/log/apache/error_log) and ban’s the particular IP’s if it has malicious signs like too many password failures or other unwanted actions,etc.. Fail2Ban used to update iptables or firewall rules to reject the IP addresses for a specified amount of time.
Fail2ban is set up to unban a blocked host within a certain period, so we dont loose any genuine connections that may temporarily misconfigured.
The standard configuration filters available for Apache, Lighttpd, sshd, vsftpd, qmail, Postfix and Courier Mail Server.
[root@TTS ~]# yum install fail2ban Loaded plugins: presto, refresh-packagekit Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.4-27.fc13 set to be installed --> Processing Dependency: gamin-python for package: fail2ban-0.8.4-27.fc13.noarch --> Processing Dependency: shorewall for package: fail2ban-0.8.4-27.fc13.noarch --> Processing Dependency: python-inotify for package: fail2ban-0.8.4-27.fc13.noarch --> Running transaction check ---> Package gamin-python.i686 0:0.1.10-7.fc13 set to be installed ---> Package python-inotify.noarch 0:0.9.1-1.fc13 set to be installed ---> Package shorewall.noarch 0:220.127.116.11-1.fc13 set to be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================== Package Arch Version Repository Size ========================================================================== Installing: fail2ban noarch 0.8.4-27.fc13 updates 128 k Installing for dependencies: gamin-python i686 0.1.10-7.fc13 fedora 33 k python-inotify noarch 0.9.1-1.fc13 updates 49 k shorewall noarch 18.104.22.168-1.fc13 updates 365 k Transaction Summary ========================================================================== Install 4 Package(s) Total download size: 575 k Installed size: 1.8 M Is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata updates/prestodelta | 837 kB 00:01 fedora/prestodelta | 414 B 00:00 Processing delta metadata Package(s) data still to download: 575 k (1/4): fail2ban-0.8.4-27.fc13.noarch.rpm | 128 kB 00:00 (2/4): gamin-python-0.1.10-7.fc13.i686.rpm | 33 kB 00:00 (3/4): python-inotify-0.9.1-1.fc13.noarch.rpm | 49 kB 00:00 (4/4): shorewall-22.214.171.124-1.fc13.noarch.rpm | 365 kB 00:01 -------------------------------------------------------------------------- Total 243 kB/s | 575 kB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. ** Found 6 pre-existing rpmdb problem(s), 'yum check' output follows: jre-1.7.0_07-fcs.i586 is a duplicate with jre-1.7.0_05-fcs.i586 jre-1.7.0_15-fcs.i586 is a duplicate with jre-1.7.0_07-fcs.i586 rpmfusion-free-release-17.0.5-1.noarch has missing requires of system-release >= ('0', '17', None) skype-126.96.36.199-fc16.i586 has missing requires of libstdc++.so.6(GLIBCXX_3.4.15) skype-188.8.131.52-fc16.i586 has missing requires of qtwebkit 2:vim-common-7.3.055-1.fc13.i686 has missing requires of vim-filesystem Installing : shorewall-184.108.40.206-1.fc13.noarch 1/4 Installing : python-inotify-0.9.1-1.fc13.noarch 2/4 Installing : gamin-python-0.1.10-7.fc13.i686 3/4 Installing : fail2ban-0.8.4-27.fc13.noarch 4/4 Installed: fail2ban.noarch 0:0.8.4-27.fc13 Dependency Installed: gamin-python.i686 0:0.1.10-7.fc13 python-inotify.noarch 0:0.9.1-1.fc13 shorewall.noarch 0:220.127.116.11-1.fc13 Complete!
The main configuration file is located under /etc/fail2ban/jail.conf.
# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# “bantime” is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated “maxretry” during the last “findtime”
findtime = 600
# “maxretry” is the number of failures before a host get banned.
maxretry = 3
ignoreip – We can add our IP addresses which are not been blocked after adding in this section.
bantime – The number of seconds that a host is banned on the server. The default is 600 seconds , we can increase as per our choice.
findtime – The amount of time that a host has to log in. The default setting is 600 seconds; that means if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, the host will be banned.
maxretry -The number of failed login attempts .
The SSH details section is further down in the config, and it is already set up and turned on. You should not be required to make any changes within this section, you can find the details about each line below.
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, firstname.lastname@example.org]
logpath = /var/log/secure
maxretry = 5
enabled – It refers SSH protection is on. You can turn it off with “false”.
Filter – set by default to sshd, refers to the config file containing the rules that fail2banuses to find matches. Ex- sshd refers to /etc/fail2ban/filter.d/sshd.conf.
action – It describes the steps fail2ban will take to ban a particular ip each actions is refered to file /etc/fail2ban/action.d/iptables.conf. we can set mail for any email id ,we will receive a mail for every Ip ban its refers /etc/fail2ban/action.d/sendmail-whois.conf.
logpath – Its a log path for fail2ban will track the Ip addresses.
maxretry – The number of failed login attempts.
Restart Fail2Ban Service
After the changes made in config file ,Then restart the fail2ban service
#chkconfig fail2ban on [root@TTS ~]# /etc/init.d/fail2ban restart Stopping fail2ban: [FAILED] Starting fail2ban: [ OK ] [root@TTS ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere