Protecting Your Linux Server from Brute Force Attacks with Fail2Ban
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. In a standard attack, an attacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks.
Automated tools are also available to help with brute-force attacks, with names like Brutus, Medusa, THC Hydra, Ncrack, John the Ripper, and Aircrack-ng. Many can find a single dictionary word password within one second. Tools like these work against many computer protocols like SSH, FTP, and SMTP.
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it can run on POSIX systems that have an interface to a packet-control system or firewall, for example, iptables or TCP Wrappers.
It operates by monitoring log files for selected entries and running scripts based on them. Most commonly, this is used to block selected IP addresses that may belong to hosts trying to breach the system’s security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Almost all logfiles are located under the /var/log directory and its sub-directories on Linux. You need to be the root user to view or access the log files. Logs are generated using rsyslogd service. It is a system utility providing support for message logging.
Support of both internet and local domain sockets enables this utility to support both local and remote logging. /var/log is the location where you should find all Linux logs file. However, some applications, such as httpd will have a directory within /var/log for their own log files.
Iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall implemented as different Netfilter modules and the chains and rules it stores.
iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables. Netfilter is a kernel module that does the actual packet filtering.
iptables almost always comes pre-installed on any Linux distribution. You can view the current rules it has set with the following command:
iptables -L -v
First, to install Fail2Ban, you need to install the Extra Packages for Enterprise Linux repository. The EPEL repository is an open-source and free community-based repository project from the Fedora team, which provides high-quality add-on software packages for Linux distribution, including Red Hat Enterprise, CentOS and Scientific Linux.
EPEL provides easy to install packages for commonly used enterprise software. To do this on an RPM-based Linux distribution such as one of the ones mentioned above, run the following command then install Fail2Ban:
yum install epel-release
yum install fail2ban
Next, check what services you have running as these will need to be enabled for checking in Fail2Ban. Netstat or the network statistics utility is used to view information related to the network connections. This includes information about interface statistics, routing tables and much more. This utility is available on most Linux systems so let us use it to view information about which ports certain processes are using on the system. For this, you need the following command:
netstat -ltnpThe default Fail2Ban configuration file is /etc/fail2ban/jail.conf. You should not do the configuration work directly on this file, however, and you should instead make a local copy of it to edit.
Copy the default Fail2Ban configuration file and then open up the new configuration file in the text editor of your choice:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.localThe first section of defaults covers the basic rules that Fail2Ban will follow. If you want to customise protection for your server, you can change the details in each section. If you use a static IP for a client machine to connect to your server, you can add this to the ignoreip section. You can see the default section below.
[DEFAULT]#
# MISCELLANEOUS OPTIONS
## "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =# "bantime" is the number of seconds that a host is banned.
bantime = 600# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600# "maxretry" is the number of failures before a host get banned.
maxretry = 5
You will want to evaluate the destemail, sendername, and mta settings if you wish to configure email alerts. The destemail parameter sets the email address that should receive ban messages. The sendername sets the value of the “From” field in the email. The mta parameter configures what mail service Fail2Ban will use to send mail.
destemail = root@localhost
sendername = Fail2Ban
mta = sendmailWhen Fail2Ban is configured to monitor the logs of a service, it looks at a filter that has been configured specifically to that service. The filter is designed to identify authentication failures for that specific service through complex regular expressions. A jail is a combination of one filter and one or several actions. Fail2ban can handle several jails at the same time. By default, all jails for services are disabled, and it should stay this way. Enable Fail2Ban for any individual specific services you have running and add or change the port if using a nonstandard port:
[sshd]
enabled = true
port = 20000
logpath = %(sshd_log)s
backend = %(sshd_backend)sAfter making any changes to the Fail2Ban config, you should always be sure to restart the service:
sudo service fail2ban restartIf you’re using iptables as your firewall, you can then see the rules that Fail2Ban puts in effect by listing the current rules:
iptables -L
Your server should now be protected against brute-force attacks with Fail2Ban checking the log files in /var/log for your running services and taking the appropriate blocking action.
📝 Save this story in Journal.
👩💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.
