Block Network Probes using Fail2Ban

fail2ban

Requirements for fail2ban

  • Debian/Ubuntu or CentOS installed Linux Server
  • Fail2Ban installation on a server

Configure Fail2Ban

As it is made clear in installation instructions of Fail2Ban, you have to make a local copy of the configuration file and set all our custom changes in the configuration file.

SSH is monitored by default by Fail2Ban. Code which takes part in SSH monitoring in fail2Ban is in the jail.local file look like the sample code below:

  • Ubuntu/Debian:
  • CentOS:
In order to enable the monitoring for any other service, you need to change the “enabled” option to “true”. You will also need to configure the other options correctly, since fail2ban blocking is based on the information gathered from the specific service’s log.

Basic explanation of the options for every service in the jail.conf/jail.local file:

  • enabled – if set to true, the monitoring for this service is enabled.
  • filter – this is the file in /etc/fail2ban/filters.d/ which will be read for the specific server. For SSH the file is /etc/fail2ban/filters.d/sshd.conf. It contains the rules that are being followed in the sshd log. For example, the login failure via SSH looks like this in the secure log:
The filter has rules based on regular expressions matching:
Once there are more failed attempts from the same that the allowed ones, it gets blocked.

– action – this specifies the file which contains the action rules (the rules which define what actions should be taken in a specific situation). In our case the file is /etc/fail2ban/action.d/iptables.conf.

– logpath – this is the path to the log that will be monitored. It is very important to set the correct path, otherwise our Fail2Ban won’t be working properly.

– maxretry – this value defines what will be the maximum count of failed attempts before an IP gets blocked.

Sample configuration

In this tutorial we will provide an example for configuring an additional monitor, other than the already enabled SSH one. We will configure Fail2Ban to monitor for FTP login failures and block the IPs that they are coming from.

For that purpose we have installed and configured ProFTPD on our server

Open the jail.local file with a text editor:

Locate the part that is responsible for proFTPD service:

  • For CentOS:
  • For Ubuntu/Debian:
We will need to set the following option for all distributions:
  • For CentOS:

We need to change the log path, because by default the login information from FTP can be found in /var/log/secure:

  • For Ubuntu/Debian:

We will leave the logpath as it is, since on these two distributions the proftpd creates the log file and writes to it.

– maxretry – This is custom option and depends on your preference.

Save the file and quit the text editor. We will need to restart the fail2ban service after the changes we have made:

Our changes should take effect after the restart and our additional service will be monitored.

Managing Fail2Ban

In order to manage Fail2ban easily, we will provide some basic commands that can be used to perform an action or view some information.

– fail2ban-client status – the command provides information about the active Jails. In this context Jail means “service which is monitored by fail2ban”. Sample output of the command can be found below:

In this case, we have 2 active Jails: proftpd and ssh. This is a useful command if you need to know the Jail name or, for example, which are the active jails.


fail2ban-client set JAIL_NAME banip IP_ADDRESS – the command can be used to manually ban an IP address. For example:

This command will restrict the access of IP 111.222.333.444 to the FTP port of your server.


fail2ban-client set JAIL_NAME unbanip IP_ADDRESS – the command is used to manually unban an IP address. There is a default time set in the Fail2Ban configuration after which the IP addresses are unblocked automatically. However, if you want to unblock an IP before this is done automatically, you can do it with this command. Example:

This will unblock the IP 11.22.33.44 from your server and it will have access to the FTP port again.


fail2ban-client -h – This is the “help” command which will provide information about all available fail2ban -client comments


Alternative way to manage Fail2Ban

You can manage blocking and unblocking of IPs manually using the iptables service of your server. However, make sure that you restart the fail2ban service after every change you make in the firewall to avoid any issues. If you block/unblock an IP directly from iptables, fail2ban will not aware of that. This can cause some issues, especially when you unblock IPs manually. In this case fail2ban will still consider the IP as blocked, and won’t block it again.

Once an IP is blocked by fail2ban, the rule added in the iptables looks like that:

To unblock an IP, you can use the following command:

In our case the command will be:

After we execute it, we need to save and restart the iptables:

– For CentOS:

– For Ubuntu/Debian

And finally, restart the fail2ban service:

 

Was this post helpful?
Let us know, if you liked the post. Only in this way, we can improve us.
Yes
No
Tagged:

Leave A Comment?

This site uses Akismet to reduce spam. Learn how your comment data is processed.