Snapshot Site

Strengthening Your System Security with Fail2ban

Fail2ban is a powerful security tool that helps prevent brute force attacks on various services such as SSH, FTP, and HTTP. Brute force attacks are a common type of attack in which an attacker tries multiple combinations of usernames and passwords until they successfully gain access to a system. Fail2ban works by monitoring log files for suspicious activity, such as repeated failed login attempts, and then takes action to block the offending IP address.

When fail2ban detects suspicious activity, it can perform several actions to prevent further attacks. One common action is to add the offending IP address to a firewall blacklist, effectively blocking any further connection attempts from that address. Fail2ban can also send email notifications to system administrators or execute custom scripts to take additional actions.

Fail2ban is highly customizable and can be configured to work with a wide range of services and applications. In addition to preventing brute force attacks, fail2ban can also be used to detect and block other types of suspicious activity, such as port scans and DDOS attacks.

Overall, fail2ban is a powerful tool for improving the security of your system and preventing unauthorized access. By detecting and blocking suspicious activity, fail2ban can help keep your system safe and secure from attackers.

How to Install and Configure Fail2ban

Follow these steps:

  • Update your system’s package list using the command:
sudo apt-get update
  • Install Fail2ban by running the command:
sudo apt-get install fail2ban
  • Create a minimal local configuration file:

In the configuration file, you can specify the services that Fail2ban should monitor, the number of failed login attempts that will trigger a ban, and the duration of the ban. Make any necessary changes and save the file.

sudo vi /etc/fail2ban/jail.local
[INCLUDES]

before = paths-debian.conf

[DEFAULT]

ignoreip = 127.0.0.1 192.168.1.10/24

bantime  = 10m
findtime  = 10m
maxretry = 5

enabled = false
mode = normal

filter = %(__name__)s[mode=%(mode)s]

protocol = tcp
chain = <known/chain>
port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport
banaction_allports = iptables-allports

action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

[sshd]

enabled = true
mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
  • Start Fail2ban using the command:
sudo systemctl start fail2ban
  • You can also enable Fail2ban to start automatically at boot time by running the command:
sudo systemctl enable fail2ban

To create a custom filter

Example with a rule protecting a website login form

  • Navigate to the Fail2ban filters directory using the command:
cd /etc/fail2ban/filter.d/
  • Create a new filter file
sudo vi myfilter.conf
  • Define the filter rules in the file. The rules should be written in regular expressions and should match the relevant log entries that you want Fail2ban to monitor. For example, to protect a website login form, you can use the following rule:
[Definition]
failregex = <HOST> - - .*POST .*login\.php
  • Add the new filter to the relevant jail configuration file.add it to the jail.local file:
[login-web]
enabled = true
port = http,https
filter = myfilter
logpath = /var/log/apache2/access.log
maxretry = 3
findtime = 60
bantime = 600
  • Restart Fail2ban using the command:
sudo systemctl restart fail2ban
  • To unban an IP address in Fail2ban, you can use the following command:
sudo fail2ban-client set <jail-name> unbanip <ip-address>

Replace <jail-name> with the name of the jail from which you want to unban the IP address, and replace <ip-address> with the IP address you want to unban. For example, to unban the IP address 192.168.1.100 from the SSH jail, you would use the following command:

sudo fail2ban-client set sshd unbanip 192.168.1.100

To configure email notifications in Fail2ban, you will need to make changes to the Fail2ban configuration file (/etc/fail2ban/jail.conf or /etc/fail2ban/jail.local).

Here are the steps to configure email notifications:

  • Edit the Fail2ban configuration file as root:bash
sudo vi /etc/fail2ban/jail.local
  • Scroll down to the [DEFAULT] section and locate the destemail setting. This setting specifies the email address where Fail2ban notifications will be sent. Uncomment the line and replace you@example.com with your email address:
destemail = you@example.com
  • Specify the email server settings. You will need to use an SMTP server to send email notifications. The following settings are required:
[smtp]
enabled = true
port = 587
protocol = smtp
# The hostname of your SMTP server:
hostname = smtp.example.com
# The username and password for authenticating with the SMTP server (if required):
# For Gmail use: mail.google.com/settings/security/lesssecureapps and turn it ON
# and generate App password for fail2ban
# action_mw: change %(mta)s to mail and add option for app password
#action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] sendmail-whois[name=%(__name__)s, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s", chain_hostnames="%(chain_hostnames)s"]
[ssmtp]
enabled = false
port = 465
hostname = mail.example.com
# For gmail use:
# hostname = smtp.gmail.com:587
# TLS is required for Gmail
# starttls = yes

Uncomment and modify the hostname setting to the hostname of your SMTP server. If your SMTP server requires authentication, also uncomment and modify the username and password settings accordingly.

Restart the Fail2ban service:

sudo systemctl restart fail2ban

After completing these steps, Fail2ban will send email notifications to the specified email address when a jail is triggered. Note that you may need to check your spam or junk folder if you do not receive the email notifications in your inbox.