Fail2Ban : Intrusion Prevention System2024/06/20 |
|
Install and configure [Fail2Ban] that is the kind of Intrusion Detection System. |
|
| [1] | Install Fail2Ban. |
|
root@dlp:~# apt -y install fail2ban ufw
|
| [2] | The default configuration is defined in [/etc/fail2ban/jail.conf]. The default values may change with package updates, so if you want to change the settings, create a [jail.local] file and modify it. |
|
root@dlp:~#
vi /etc/fail2ban/jail.conf # line 87 : ignore your own local IP #ignoreself = true # line 92 : possible to add ignored networks #ignoreip = 127.0.0.1/8 ::1 # line 101 : number of seconds that a host is banned # - 1m ⇒ 1 minutes # - 1h ⇒ 1 houer # - 1d ⇒ 1 day # - 1mo ⇒ 1 month # - 1y ⇒ 1 year bantime = 10m # line 105 : A host is banned if it has generated "maxretry" during the last "findtime" findtime = 10m # line 108 : "maxretry" is the number of failures before a host get banned maxretry = 5 # line 132 : "backend" specifies the backend used to get files modification backend = auto # line 178 : destination email address if enabling email notification destemail = root@localhost # line 181 : sender address if enabling email notification sender = root@<fq-hostname> # line 268 : default action # - %(action_)s ⇒ ban only # - %(action_mw)s ⇒ band and email notification (includes Whois info) # - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs) action = %(action_)s
root@dlp:~#
vi /etc/fail2ban/jail.local # create new # possible to override the default values [DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 1d findtime = 5m maxretry = 5 # if you installed Debian 12 only with [Standard system utilities], # log management is only done by Journald and Rsyslog is not installed, # so backend must be changed to systemd instead of auto backend = systemd destemail = root@localhost sender = root@dlp.srv.world systemctl enable --now fail2ban
|
| [3] | By default, only the SSH service is enabled and monitored. |
|
root@dlp:~# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshdroot@dlp:~# ll /etc/fail2ban/jail.d total 4 -rw-r--r-- 1 root root 22 Apr 21 2023 defaults-debian.conf
root@dlp:~#
vi /etc/fail2ban/jail.d/defaults-debian.conf [sshd] enabled = true # possible to override the default values by service bantime = 600 findtime = 3m maxretry = 5 action = %(action_mw)s
root@dlp:~#
systemctl reload fail2ban
# show status root@dlp:~# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: # some hosts that exceed the threshold are banned root@dlp:~# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 10.0.0.203 # actual ban action is controlled by iptables-nft root@dlp:~# nft list ruleset
table ip filter {
chain f2b-sshd {
ip saddr 10.0.0.203 counter packets 1 bytes 60 reject
counter packets 0 bytes 0 return
}
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp tcp dport 22 counter packets 1 bytes 60 jump f2b-sshd
}
}
# if enabled email notifications, you will receive the following email root@dlp:~# mail
"/var/mail/root": 1 messages 1 new 1 unread
>N 1 Fail2Ban Thu Jun 20 12:31 91/3298 [Fail2Ban] sshd: banned 1
? 1
Return-Path: <root@dlp.srv.world>
X-Original-To: root@localhost
Delivered-To: root@localhost
Received: by dlp.srv.world (Postfix, from userid 0)
id 2439622FB; Thu, 20 Jun 2024 12:31:42 +0900 (JST)
Subject: [Fail2Ban] sshd: banned 10.0.0.203 from dlp.srv.world
Date: Thu, 20 Jun 2024 12:31:41 +0900
From: Fail2Ban <root@dlp.srv.world>
To: root@localhost
Message-Id: <20240620033142.2439622FB@dlp.srv.world>
Hi,
The IP 10.0.0.203 has just been banned by Fail2Ban after
5 attempts against sshd.
Here is more information about 10.0.0.203 :
.....
.....
|
| [4] | If you want to manually add or remove banned hosts, run the following. |
|
root@dlp:~# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 10.0.0.203 # unban [10.0.0.203] root@dlp:~# fail2ban-client set sshd unbanip 10.0.0.203 1 fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 2 `- Banned IP list: # ban [10.0.0.192/28] root@dlp:~# fail2ban-client set sshd banip 10.0.0.192/28 1 fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 3 `- Banned IP list: 10.0.0.192/28 # to remove all banned hosts, run like follows root@dlp:~# fail2ban-client unban --all |
| [5] | [jail.conf] has many predefined services other than SSH, so you can set them as monitoring targets by specifying the definition name. |
|
root@dlp:~# grep '^\[' /etc/fail2ban/jail.conf | tail -n +3 [sshd] [dropbear] [selinux-ssh] [apache-auth] [apache-badbots] [apache-noscript] [apache-overflows] [apache-nohome] [apache-botsearch] [apache-fakegooglebot] [apache-modsecurity] ..... ..... # for example, set up Apache2 Basic authentication root@dlp:~# vi /etc/fail2ban/jail.d/apache-auth.conf # create new [apache-auth] enabled = true bantime = 600 findtime = 3m maxretry = 5 action = %(action_mw)s # create new [vsftpd] enabled = true action = %(action_mw)s # create new [postfix-sasl] enabled = true action = %(action_mw)s
root@dlp:~#
root@dlp:~# systemctl reload fail2ban
fail2ban-client status Status |- Number of jail: 4 `- Jail list: apache-auth, postfix-sasl, sshd, vsftpd # verify settings by failing authentication manually root@dlp:~# fail2ban-client status apache-auth Status for the jail: apache-auth |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/apache2/error.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 10.0.0.5root@dlp:~# fail2ban-client status vsftpd Status for the jail: vsftpd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/vsftpd.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 10.0.0.203 |
| Sponsored Link |