If you experience any difficulty in accessing content on our website, please contact us at 1-866-333-8917 or email us at support@hudsonvalleyhost.com and we will make every effort to assist you.
When we think of security, the first thing that comes to mind is keeping a strong password. The usual guidelines of using combination of characters, numbers with a reasonably long length apply. Let’s say a password like this with 10 characters and numbers, Ra-lC6gebe would take about 6 years to be found using a brute force algorithm. For sure, this is a strong password, but I would rather not have my VPS responding to a blitz of authentication requests. This is where fail2ban comes into the picture. Time to put the bad guys in ‘jail’
fail2ban is a python utility that scans access logs and blocks IP addresses that have too many failed login attempts. The errant IP addresses are banned for a certain duration based on the rules you setup. Changes are implemented via firewall rules. There are out-of-the-box filters for common services like ssh, apache and mysql. However, you can add your own filters by providing paths to the application logs and setting up the right patterns to search.
fail2ban works by setting up “jails” which are a set of filters used by the application to identify signs of malicious activity. You can setup number of invalid attempts, add actions such as banning an IP, sending you an email and also set a ban duration.
On CentOS, you will need to install the epel-release before installing fail2ban
# yum update
# yum install -y epel-release
# yum install -y fail2ban
For Ubuntu/Debian
# apt-get update
# apt-get upgrade
# apt-get install -y fail2ban
Start & enable the service
# systemctl start fail2ban
# systemctl enable fail2ban
Configurations for fail2ban are present in .conf files present in /etc/fail2ban. However, any setting in these files can be overridden by .local files located in the same directory. Therefore any changes made will be done to a .local file which ensures that customizations are not lost when fail2ban is updated. At the time of installation, there are two .conf files – fail2ban.conf and jail.conf
The first provides configuration information for the fail2ban application such as the logging level, the location of the fail2ban log and other configuration related to the running fail2ban process. Very often, you will not have to make changes, so let’s jump into the jail.conf file
fail2ban operates by defining “jails” that have specific actions, durations of the ban etc. We will modify the jail.conf file with our changes. First copy the jail.conf file into jail.local
# cd /etc/fail2ban
# cp jail.conf jail.local
# nano jail.local
Here are some keywords that are useful when configuring the jail
bantime – number of seconds the offending host is to be banned. The default is 600, i.e. 10 minutes
findtime – the window within which you need to find the failure pattern (such as authentication error). Default is again 600
maxretry – number of times the failure is found within the findtime window (default 3)
action – What to do when the condition is met, the default being ban the IP (action_). You can change it to (action_mw or action_mwl) which bans the IP and sends an email. The destination email is identified by the keyword destemail
Look for the ssh jail that starts with [ssh] in the jail.conf file. It should be something like this
[ssh]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Change enabled to true and feel free to add additional parameters that we saw above
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
We reduced the number of tries from 6 to 3 and changed the default search window from 10 minutes to 5. Reload the configuration by restarting the service
# systemctl restart fail2ban
By default in the jail.conf file you will see entries for ssh, apache2 and other applications. What if you had a new application which you want included in fail2ban? It is quite simple as long as the application writes these errors into a log file and the error is written in a specific pattern.
For this example, let us assume there is a new application called foobar which runs on port 6005. When a user attempts to login and this action fails, an error is written into the /var/log/foobar-error.log file. The error message looks like this
LOGIN-ERROR: Request from 123.456.7.8 failed for user=admin@foobar.com with
message=password failure
First we add the foobar application to jail.local
[foobar]
enabled = true
port = 6005
filter = foobar-filter
logpath = /var/log/foobar-error.log
maxretry = 5
Dissecting the configuration, we have enabled the application (enabled = true). Told fail2ban that the application listens on port 6005 uses the filter foobar-filter (more about filter in just a second), logs are in /var/log/foobar-error.log and catch errors when they occur 5 times.
Filters specify the regular expression that is applied to the log file to get information of the IP that is causing trouble and to ban it. Create a file foobar-filter under /etc/fail2ban/filter.d/ like this
[Definition]
failregex = ^LOGIN-ERROR: Request from <HOST> failed for user=.* with message=.*
fail2ban uses this expression to get the <HOST> which is then banned when multiple error messages are received within a 10 minute window.
Hope I was able to give you a good launchpad to understand and implement fail2ban on your server. If you have implemented fail2ban on your system and especially for a custom application, I would love to hear your thoughts and experience. Stay safe and Happy Holidays.