Using fail2ban


Fail2Ban is a very useful tool to ban IPs after a repeated amount of failed login tries. It is fully automated, and works checking the /var/log/auth.log against a set of regular expressions.

In Debian you can install it as usual:

apt-get install fail2ban

But... what happened so I had to use fail2ban?

Friday I had to setup our own SSH server using a Debian virtual machine (server runs Windows) to access a remote shell. Today I found this logs:

luis     pts/6        178.124.133.40   Mon Dec 17 22:17 - 22:17  (00:00)    
luis     pts/6        178.124.133.40   Mon Dec 17 22:12 - 22:13  (00:00)    
luis     pts/6        178.124.133.40   Mon Dec 17 21:20 - 21:31  (00:11)    
luis     pts/6        178.124.133.40   Mon Dec 17 21:07 - 21:08  (00:01)    
luis     pts/6        178.124.133.40   Mon Dec 17 21:06 - 21:07  (00:01)    
... 
alex     pts/1        85.122.42.3      Mon Dec 17 09:14 - 09:15  (00:00)    
luis     pts/1        188.173.243.80   Mon Dec 17 07:44 - 07:45  (00:00)    
alex     pts/1        195.175.254.95   Mon Dec 17 07:28 - 07:28  (00:00)    
luis     pts/1        188.173.243.80   Sun Dec 16 22:01 - 22:02  (00:00)    
luis     pts/1        188.173.243.74   Sun Dec 16 14:23 - 14:25  (00:01)    
luis     pts/1        77-108-1-191-sta Sun Dec 16 01:15 - 03:15  (02:00)    
alex     pts/1        190.144.34.118   Sat Dec 15 18:53 - 18:53  (00:00)

Well, this are VERY bad news, and of course this showed me how noob I am as server admin. Fortunately, neither luis nor alex accounts had enough privileges for anything. I immediately changed the passwords for those users, and decided to put a limit to the login attempts. So 3 failed attempts = IP ban for 10 hours. This should be enough to discourage most script-kiddies around there.

Using fail2ban was quite straightforward. I installed it from Debian official repository and slightly edited the /etc/fail2ban/jail.conf.

In the [DEFAULT] section I put:

# 10 hours ban
bantime  = 36000
maxretry = 3

And in the [ssh] section I commented this line:

#maxretry = 6

Then I ran the server:

$ sudo fail2ban-client start
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'postfix'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
2012-12-18 17:56:26,862 fail2ban.server : INFO   Starting Fail2ban v0.8.4-SVN
2012-12-18 17:56:26,863 fail2ban.server : INFO   Starting in daemon mode

Check it is correctly running:

$ sudo fail2ban-client ping
Server replied: pong

Then I ran some tests (with bantime 1 minute, not 10 hours, of course...) failed logins and effectively it banned the IPs after 3 failed attempts :)

$ sudo tail fail2ban.log
2012-12-18 17:15:23,344 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-12-18 17:15:23,344 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-12-18 17:15:23,347 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-12-18 17:15:23,349 fail2ban.filter : INFO   Set maxRetry = 3
2012-12-18 17:15:23,352 fail2ban.filter : INFO   Set findtime = 600
2012-12-18 17:15:23,353 fail2ban.actions: INFO   Set banTime = 60
2012-12-18 17:15:23,415 fail2ban.jail   : INFO   Jail 'ssh' started
2012-12-18 17:16:10,576 fail2ban.actions: WARNING [ssh] Ban 192.168.1.61
2012-12-18 17:17:10,848 fail2ban.actions: WARNING [ssh] Unban 192.168.1.61

Comments

Popular Posts