Fail2ban
Fail2ban scans log files and bans IPs that show malicious signs like password failures, non exisiting users, seeking for exploits, etc.
Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time
What does it do ?
Fail2ban is a useful tool to keep your internet server safe from harm. By default it is configured to monitor SSH traffic and it will block users that try to login to your machine.
Users will be blocked according to the thresholds you set and you can also specify the duration.
The blocked users will be put in a Jail which is basically a list of blocked ip addresses. The real action is on the background where iptables will create a rule for the ip blocked that will remain until the ban is dropped.
Configuration allows you to let things run by themselves but also an e-mail can be send to alert you. I would not suggest to do that unless you are a fan of reading bulk e-mail. However it might be useful if you run this on a private machine where any login attempt would be suspicious.
Installation
Often fail2ban is already part of your system or can be installed from your repositories. You need to enable fail2ban to run as a default service so it will always protect your server.
Configuration
There a lot of services you can protect by using modules, you can configure the module to specific logfiles. So if you have non standard setup and run your services on different ports you can adapt the module.
By default SSH is enabled and in order to adapt your configuration you should copy your config file to a .local and apply your changes there. This is because the default file might be overwritten when you update the software.
Within the fail2ban.jail configfile are already a lot of templates for the services fail2ban can protect, you can either add more configuration or just run the default. You just need to enable the module in the configuration and restart fail2ban to activate the module.
Practical use
I run a couple of servers directly on the internet, one of them is my Piaware setup on a Raspberry Pi. From the moment i connected to the internet i noticed that there were a lot of attempts to log into SSH. Seeing the Raspberry is part of my infrastructure i don't want it to become a backdoor into my infrastructure. While it run's in a separate vlan i still would like to take away any possibility to abuse it or get a ddos
As a start i adapted the configuration for the SSH Daemon to block the root user and set some settings on the number of times a user can login. This seemed to help a bit but i still noticed a number of ip's trying to login over and over again using default system accounts.
So installed fail2ban and just started with the default template and immediately users started to be banned. So the traffic dropped and the ssh logging became more quiet. Only i noticed that some ip's just returned after their ban was lifted. I checked some more documentation on fail2ban and learned about the recidive module. This module can be configured to put ip addresses in a permanent ban so you get rid of them for a longer duration. 96 years seems enough for me.
Why not enable this by default ? Well it would also block out honest users forever. If you happen to put in the wrong password you get blocked even if you have an account.
There is an ignoreip option to ignore specific ip's which can be helpful to prevent you from being blocked on your own server. Always be sure to configure the ignoreip with your own ip and perhaps two if you happen to be customer of a provider that changes ip's without telling you.
So unless you have your machine local, make sure to set the ignoreip immediately or be ready to visit the datacenter!
Other services
Seeing i run a lot of services on my webserver i have fail2ban running there as well, i checked all my internetfacing services and configured the modules related to those services. I already created iptable rules for the services but that is just a static configuration. The modules will filter the logfiles and also act on specific actions like logins so it is more interactive with the logfile.
I noticed a lot of attempts to login on mysql and php-admin pages so i also activated modules on these services as well.
Status
Once fail2ban is running you can get details about the status using the commandline client fail2ban-client. As a default it will output the modules enabled. When you check for a specific module you can see the ip's being banned. This can be useful to find out if someone is actually being blocked that should have access.
Ban IP
While fail2ban does a good job, you might want to ban a ip address manually and the fail2ban client allows for that.
Unban IP
Using fail2ban-client you can unban an ip to enable a user to login again. From there you can check what is going wrong if the situation persists. Perhaps there is an incorrect password or user connecting from a different ip than allowed.
fail2ban-client set sshd unbanip 'ip'
Troubleshooting Tool
I use fail2ban to see what people are trying to do on my server outside of just browsing my content. The fail2ban log provides me with information and clues on what to secure next. Using Goaccess i inspect the underlying logfiles to see which url's are being attempted to open and put cat pictures on the url's as a stress relieve.
Goaccess helped me to determine which modules i needed to activate in fail2ban and can also help you out to see what people are trying to do including opening default pages of internet services. Most often this is done by bots and scripts so it is automated and causing errors on your webserver, potentially affecting performance. So it is a good practice to either block traffic to these url's or just put bogus content so there will be no errors.
Google Bots
If you do not like google snooping around on your website and steal e-mail addresses you can use the apache-badbots module to block these attempts.
Documentation
If you need more information after reading this review check the official page here :
https://www.fail2ban.org/wiki/index.php/Main_Page
Tips and tricks
If you configure a module and fail2ban starts to crash you might consider removing the sqlite file and restart.
rm -rf /var/lib/fail2ban/fail2ban.sqlite3
Buy me a coffee
If you would like me to build more interesting projects support me here:
https://www.buymeacoffee.com/PhenixOps