Debian 12 bookworm
Sponsored Link

Fail2Ban : Intrusion Prevention System2024/06/20

 

Install and configure [Fail2Ban] that is the kind of Intrusion Detection System.

[1] Install Fail2Ban.
root@dlp:~#
apt -y install fail2ban ufw
[2] The default configuration is defined in [/etc/fail2ban/jail.conf].
The default values ​​may change with package updates, so if you want to change the settings, create a [jail.local] file and modify it.
root@dlp:~#
vi /etc/fail2ban/jail.conf
# line 87 : ignore your own local IP
#ignoreself = true

# line 92 : possible to add ignored networks
#ignoreip = 127.0.0.1/8 ::1

# line 101 : number of seconds that a host is banned
# - 1m ⇒ 1 minutes
# - 1h ⇒ 1 houer
# - 1d ⇒ 1 day
# - 1mo ⇒ 1 month
# - 1y ⇒ 1 year
bantime  = 10m

# line 105 : A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 10m

# line 108 : "maxretry" is the number of failures before a host get banned
maxretry = 5

# line 132 : "backend" specifies the backend used to get files modification
backend = auto

# line 178 : destination email address if enabling email notification
destemail = root@localhost

# line 181 : sender address if enabling email notification
sender = root@<fq-hostname>

# line 268 : default action
# - %(action_)s ⇒ ban only
# - %(action_mw)s ⇒ band and email notification (includes Whois info)
# - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs)
action = %(action_)s


root@dlp:~#
vi /etc/fail2ban/jail.local
# create new
# possible to override the default values
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 1d
findtime  = 5m
maxretry = 5
# if you installed Debian 12 only with [Standard system utilities],
# log management is only done by Journald and Rsyslog is not installed,
# so backend must be changed to systemd instead of auto
backend = systemd
destemail = root@localhost
sender = root@dlp.srv.world

root@dlp:~#
systemctl enable --now fail2ban
[3] By default, only the SSH service is enabled and monitored.
root@dlp:~#
fail2ban-client status

Status
|- Number of jail:      1
`- Jail list:   sshd

root@dlp:~#
ll /etc/fail2ban/jail.d

total 4
-rw-r--r-- 1 root root 22 Apr 21  2023 defaults-debian.conf

root@dlp:~#
vi /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true

# possible to override the default values by service
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

root@dlp:~#
systemctl reload fail2ban
# show status

root@dlp:~#
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# some hosts that exceed the threshold are banned

root@dlp:~#
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203

# actual ban action is controlled by iptables-nft

root@dlp:~#
nft list ruleset

table ip filter {
        chain f2b-sshd {
                ip saddr 10.0.0.203 counter packets 1 bytes 60 reject
                counter packets 0 bytes 0 return
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                meta l4proto tcp tcp dport 22 counter packets 1 bytes 60 jump f2b-sshd
        }
}

# if enabled email notifications, you will receive the following email

root@dlp:~#
mail

"/var/mail/root": 1 messages 1 new 1 unread
>N   1 Fail2Ban           Thu Jun 20 12:31  91/3298  [Fail2Ban] sshd: banned 1
? 1
Return-Path: <root@dlp.srv.world>
X-Original-To: root@localhost
Delivered-To: root@localhost
Received: by dlp.srv.world (Postfix, from userid 0)
        id 2439622FB; Thu, 20 Jun 2024 12:31:42 +0900 (JST)
Subject: [Fail2Ban] sshd: banned 10.0.0.203 from dlp.srv.world
Date: Thu, 20 Jun 2024 12:31:41 +0900
From: Fail2Ban <root@dlp.srv.world>
To: root@localhost
Message-Id: <20240620033142.2439622FB@dlp.srv.world>

Hi,

The IP 10.0.0.203 has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 10.0.0.203 :
.....
.....
[4] If you want to manually add or remove banned hosts, run the following.
root@dlp:~#
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   10.0.0.203

# unban [10.0.0.203]

root@dlp:~#
fail2ban-client set sshd unbanip 10.0.0.203

1
root@dlp:~#
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     2
   `- Banned IP list:

# ban [10.0.0.192/28]

root@dlp:~#
fail2ban-client set sshd banip 10.0.0.192/28

1
root@dlp:~#
fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     6
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     3
   `- Banned IP list:   10.0.0.192/28

# to remove all banned hosts, run like follows

root@dlp:~#
fail2ban-client unban --all

[5] [jail.conf] has many predefined services other than SSH, so you can set them as monitoring targets by specifying the definition name.
root@dlp:~#
grep '^\[' /etc/fail2ban/jail.conf | tail -n +3

[sshd]
[dropbear]
[selinux-ssh]
[apache-auth]
[apache-badbots]
[apache-noscript]
[apache-overflows]
[apache-nohome]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
.....
.....

# for example, set up Apache2 Basic authentication

root@dlp:~#
vi /etc/fail2ban/jail.d/apache-auth.conf
# create new

[apache-auth]
enabled = true
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

# for example, set up Vsftpd

root@dlp:~#
vi /etc/fail2ban/jail.d/vsftpd.conf
# create new

[vsftpd]
enabled = true
action = %(action_mw)s

# for example, set up Postfix SASL

root@dlp:~#
vi /etc/fail2ban/jail.d/postfix-sasl.conf
# create new

[postfix-sasl]
enabled = true
action = %(action_mw)s

root@dlp:~#
systemctl reload fail2ban
root@dlp:~#
fail2ban-client status

Status
|- Number of jail:      4
`- Jail list:   apache-auth, postfix-sasl, sshd, vsftpd

# verify settings by failing authentication manually

root@dlp:~#
fail2ban-client status apache-auth

Status for the jail: apache-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/apache2/error.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.5

root@dlp:~#
fail2ban-client status vsftpd

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/vsftpd.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203
Matched Content