Are you worried about your server being brute force cracked? Are you still worried that frequent malicious requests will make your service unavailable? Today, I bring you an open source protection tool "Fail2ban", which will help you sleep soundly. The reason is that I have opened a public IP address in my home, which maps an intranet Linux machine to the outside, so that I can access my home from outside. Today, when I look at the log, my good guy, ssh login failed thousands of times. As a security conscious person, I must find a way to stop all this.

Many people think that the best way is to use the white list at the first time. It is really a good way to allow only the designated IP address to access home. But the network environment outside is changing at any time, which may be traffic access or home network, so it is not a good way. In order to make themselves accessible, but also to block some "illegal" users, Then we will use this "Fail2ban". Today we will take you to try it. After learning it, we can draw inferences from one instance. It has many built-in rules. Simple modification and enabling can achieve unexpected results.

introduce

From ChatGPT Generation Fail2ban It is an open source security tool, which can be used to automatically prevent attacks and violent cracking of malicious IP addresses. It can monitor various log files, such as those of SSH, HTTP, FTP and other services, and detect and respond to malicious acts according to user-defined rules.

Fail2ban works as follows:

  1. Monitoring log files: Fail2ban will monitor the specified log files, such as those of SSH, HTTP, FTP and other services.
  2. Matching rules: Fail2ban will match log files according to user-defined rules (also called "filters"). Rules are usually based on regular expressions to identify malicious behaviors, such as failed login attempts and malicious requests.
  3. Trigger response: When the rule is matched, Fail2ban will trigger the defined response operation, such as adding the attacker's IP address to the firewall rule to block its access, or sending an email alarm to the administrator.
  4. Automatic unblocking: Fail2ban also provides automatic unblocking function, which can automatically unblock blocked IP addresses after a period of time to avoid blocking legitimate users by mistake.

The advantages of Fail2ban include:

  • Automatically prevent malicious behavior and reduce the workload of administrators.
  • It can be flexibly configured according to user-defined rules.
  • Automatic unblocking function is supported to avoid blocking legitimate users by mistake.
  • It can be integrated with other security tools (such as firewalls) to improve security.

But Fail2ban also has some disadvantages, such as:

  • Some advanced attacks may not be effectively defended.
  • In some cases, legitimate users may be blocked by mistake, such as when multiple users share the same IP address.
  • Certain configuration and management work is required to ensure its effectiveness and security.

In general, Fail2ban is a very useful security tool that can help administrators automatically prevent malicious acts and improve the security and stability of the system.

Fail2ban official website: http://www.fail2ban.org/

Github open source address: https://github.com/fail2ban/fail2ban

actual combat

1. Install Fail2ban

 #Ubuntu. This demonstration uses Ubuntu 22.04.1 LTS, Fail2Ban v0.11.2 to demonstrate the whole process sudo apt install fail2ban # CentOS sudo yum install fail2ban

2. Understanding the Fail2ban directory

Fail2ban comes with many default configurations after installation. To put it simply, it can be directly enabled without configuration. Fail2ban is installed in the/etc/fail2ban directory by default. The file tree is as follows:

 /etc/fail2ban/ ☆ -- action. d # Various actions, with many commonly used ones by default │    ├── dummy.conf │    ├── hostsdeny.conf │    ├── iptables.conf │    ├── mail-whois.conf     │    ├── mail.conf │    ├── shorewall.conf │    └── xxxxx.conf │    ....... ☆ -- fail2ban. conf # Default default configuration ▄ -- fail2ban. d # Start directory ▄ -- filter. d # Various filters, which are commonly used by default │    ├── apache-auth.conf │    ├── apache-noscript.conf │    ├── couriersmtp.conf │    ├── postfix.conf │    ├── proftpd.conf │    ├── qmail.conf │    ├── sasl.conf │    ├── sshd.conf             │    └── xxxxx.conf │    ....... ☆ -- jail. conf # Default monitoring configuration └─  jail.d L -- defaults debian. conf # # SSH related configuration

It is recommended not to change the default configuration after the installation is completed. We can directly copy the default configuration and then modify personalized things. This is convenient for our subsequent official upgrade without worrying about incompatibility, because the final program will overwrite the default configuration with our customized configuration, and the default configuration will be used where there is no modification.

3. Configure Fail2ban to enable SSH protection

  • Copy default configuration
 #Switch to the fail2ban directory cd /etc/fail2ban #Copy the default configuration sudo cp fail2ban.conf fail2ban.local #Copy the default monitoring configuration. If you don't want a full configuration, you can add an empty file without copying it and edit it yourself sudo cp jail.conf jail.local

  • Customize the SSH protection rules and edit the jail.local file, as shown below:

     #DEFAULT configuration is similar to global configuration at first. If a single service is not configured, the default configuration will be used [DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 1h findtime = 1m maxretry = 3 banaction = firewallcmd-ipset action = %(action_mwl)s #End of DEFAULT configuration #Start of sshd service configuration [sshd] enabled = true filter = sshd port = 22 maxretry = 3 findtime = 60 bantime = -1 action = %(action_mwl)s #End of sshd service configuration

    Parameters:

    • ignoreip : The white list of IP addresses that will never be banned. They have a permanent "out of jail" card. The IP address (127.0.0.0.1/8) of the local host is in the list. By default, its IPv6 is equivalent to (:: 1). If you confirm that other IP addresses should never be prohibited, please add them to this list and Leave a space
    • bantime : Duration of IP address prohibition ("m" represents minutes). If you type a value without "m" or "h" (representing hours), it will be regarded as a second if you leave it blank. A value of - 1 will permanently disable IP addresses. Be very careful not to shut down your computer. This is a very likely low-level error.
    • findtime : Too many failed connections will result in the IP address being disabled.
    • maxretry : The number of "too many failed attempts".

    The above configuration indicates that the ssh service fails for a maximum of three attempts in a 60s period. If this rule is violated, the IP address is blocked permanently.

4. Enable and verify whether Fail2ban takes effect

 #Enable fail2ban sudo systemctl start fail2ban #Check the status. If the status is running, check the configuration sudo fail2ban-client status #View the specific status of the sshd service sudo fail2ban-client status sshd

The following contents are output by default:

 Status for the jail: sshd |- Filter |  |- Currently failed: 0 |  |- Total failed:     0 |  `- File list:        /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned:     0 `- Banned IP list:

Next, let's take a look at the status through the continuous login errors of our machines:

 Status for the jail: sshd |- Filter |  |- Currently failed: 0 |  |- Total failed:     6 |  `- File list:        /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned:     3 `- Banned IP list: 192.168.1.12

It can be seen that my machine IP appears on the Banned IP after I have made continuous SSH login errors, and then I can no longer connect to the SSH. I have to take over the server through the visualization tool to delete the IP of the Banned. The command is:

fail2ban-client set sshd unbanip 192.168.1.12

We continue to check the logs of fail2ban. It can be found that the logged in IP addresses can be seen, and when the IP addresses are being blocked can also be seen.

 root@ubuntu-dev :~# tail -f /var/log/fail2ban.log 2023-08-02 22:31:26,770 fail2ban.filter         [2906926]: INFO    [sshd] Found 192.168.1.12 - 2023-08-02 22:31:26 2023-08-02 22:31:29,616 fail2ban.filter         [2906926]: INFO    [sshd] Found 192.168.1.12 - 2023-08-02 22:31:29 2023-08-02 22:31:33,925 fail2ban.filter         [2906926]: INFO    [sshd] Found 192.168.1.12 - 2023-08-02 22:31:33 2023-08-02 22:31:34,271 fail2ban.actions        [2906926]: NOTICE  [sshd] Ban 192.168.1.12 2023-08-02 22:33:13,076 fail2ban.actions        [2906926]: NOTICE  [sshd] Unban 192.168.1.12

summary

The above fully demonstrates that if you use Fail2ban to protect your SSH services, you can draw inferences from one instance to protect your nginx, MySQL, Redis, and some self built services. Many documents of some open source projects also describe how to configure Fail2ban, such as gitea vaultwarden When we found Fail2ban, we also found that someone used python script to parse the corresponding log files, grab and count them, and then perform firewall blocking operations. In fact, Fail2ban also uses the same principle to define the log files to be monitored, filter out the content to be monitored, and finally execute the action action to add firewall rules.

Network security should not be underestimated. Data is priceless. In addition to regular backup, we should also try our best to block threats. The above is all about Fail2ban. If you feel good, go and try it now.

Fail2ban Common Command Memo

  • fail2ban-client ping : Test whether the fail2ban service is successfully started. If it is successful, pong will be output
  • fail2ban-server -V : View the fail2ban version number
  • fail2ban-client status sshd : View the blocked IP of a service (here is sshd, corresponding to [sshd] in the jail.local configuration file) rule
  • fail2ban-client set sshd unbanip 192.168.1.12 : Remove the IP blocking of a service. This is to remove the blocking of the sshd service 192.168.1.12
  • fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf : Test whether the filter rule is correct
  • tail /var/log/fail2ban.log : View Fail2ban log information
  • fail2ban-client unban --all Use with caution , clear all IP addresses that are blocked

Reference article

Use fail2ban from scratch

Introduction and use of Fail2Ban

Pagoda panel 6. X installation fail2ban+Firewalld to prevent CC attacks

Vaultwarden Fail2ban settings

Fail2ban setup to block users after failed login attempts

Article Contents