Stop the attacks with Fail2ban

There are lots of ways to protect servers. It is best to follow the way the army works or how animals work in th wild. First and foremost you armour up. The firewall and good passwords are IT armour. Next you can camoflage. Althouh it’s les effective nowaday I would still say put things like SSH on a different port. You will still get attacked so set strick passwords but it slows down the attacks. Finally use a sentry to keep a look out. In terms of servers that means a prograsm that keeps a look out for people trying to hack into the server and block them. Enter Fail2ban. What it does is watches your log files and if it sees consistent attacks from a certain host blocks them.

There are therefore two main things to configure in Fail2ban – the filter (which logs to follow and what to look for) and the action (what to do). These get put in the jail configuration file. For Fail2ban I would recommend leaving the default configuration alone and creating a new file for this install.

Start by installing it.

apt update

apt install fail2ban

Fail2ban configuration files are in /etc/fail2ban/. The default configuration is jail.conf however rather than changing the file you are advised to create a new configuration based on that under jail.local and so we create it in here by copying the default file.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

now edit /etc/fail2ban/jail.conf

The first line to change is “ignoreip =”. This allows you to define IP addresses to ignore in the logs. Obviously local networks and remote servers or networks you control should go in here

so change the line –

# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.0.0/24 8.8.8.8 [YOUR IPs HERE.$

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.0.0/24 8.8.8.8 81.187.157.0/25 88.96.156.192/29 88.96.141.$

bantime = 360
maxretry = 3

Net we change the Action parameter. This allows you to set the action to apply is fail2ban sees an active attack. I suggest at this point just go for route. This simply creates a dummy route to the offending IP address. Other rules use things like iptables that can block just the port being attacked but for now just stick to route.

Again make sure you put your local IP range under “Ignore” in case you lock your self out!

#
# ACTIONS
#

banaction = route

Net set some other defaults.

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

Now add some specific rules for specific services. For example –

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

So this says keep watching /var/log/auth.log for failed logins on SSH and if you see three failures from a certain IP address

If you have SSH enabled (on whatever port you want) I would recommend always enabling this as SSH is attacked a lot.

After a while running

ip route

might show lines such as

unreachable 89.252.246.3
unreachable 193.56.28.145
unreachable 193.56.28.193
unreachable 193.169.252.206
unreachable 212.70.149.5

Meaning these hosts have tried to SSH in and failed 3 times so been banned by a route line

Take a look under /etc/fail2ban/filter.d/ for other filters you can use. For email servers I suggest usin the postfix or exim filters as they cover lots of attempted attacks. Just follow the ssh config in jail.local

For example

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

Just run

service fail2ban restart

when done.