Preventing Brute Force Attacks With Fail2ban

Preventing Brute Force Attacks With Fail2ban on blackPanther OS/Server

In this article I will show how to install and configure fail2ban on a blackPanther xS system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

In this example I will configure fail2ban to monitor login attempts to the SSH server, the Proftpd server, login attempts to .htaccess/.htpasswd protected web sites, to Courier POP3 and Courier IMAP, and to SASL (for sending emails). I will install the fail2ban package that is available for blackPanther OS.  Therefore I will create a customized fail2ban configuration that I have tested and that works for me.

2 Installing fail2ban

Before we install any packages, we must update repositories. Type :

# updating repos

or press update button on software manager

Fail2ban can be installed as follows:

 # installing fail2ban

Then we start fail2ban:

# service fail2ban start

You will find all fail2ban configuration files in the /etc/fail2ban directory.

3 Configuring fail2ban

The example config download [here]. The default behaviour of fail2ban is configured in the file /etc/fail2ban/jail.conf. Take a look at it, it’s not hard to understand. There’s a [DEFAULT] section that applies to all other sections unless the default options are overriden in the other sections.

I explain some of the configuration options here:

  • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
  • For example, if the computer from which you’re connecting to the server has a static IP address, you might want to list it here.
  • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
  • maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
  • filter: Refers to the appropriate filter file in /etc/fail2ban/filter.d.
  • action: Refers to the appropriate action file in /etc/fail2ban/action.d.
  • logpath: The log file that fail2ban checks for failed login attempts.

This is what my /etc/fail2ban/jail.conf file looks like:

# mcedit /etc/fail2ban/jail.conf

My client computer has the static IP address, and because I don’t want to be locked out, I’ve added it to the ignoreip list.

I want to control login attempts to SSH, Apache, Proftpd, Courier-POP3, Courier-IMAP, and Sasl, so I’ve set enabled to true for these services and to false for all other services. Please note that some services such as SSH can be blocked either by iptables or by TCPWrappers (/etc/hosts.deny). Decide for yourself which method you prefer.

Make sure to replace the email address with your own email address so that you get notified when someone gets blocked by fail2ban.

Whenever we modify the fail2ban configuration, we must restart fail2ban, so this is what we do now:

# service fail2ban restart

That’s it already. Fail2ban logs to /var/log/fail2ban.log, so you can check that file to find out if/what hosts got blocked. If a host got blocked by fail2ban, it looks like this:

20010-08-11 17:49:09,466 fail2ban.actions: WARNING [apache-tcpwrapper] Ban
20010-08-11 18:08:33,213 fail2ban.actions: WARNING [sasl-iptables] Ban
20010-08-11 18:26:37,769 fail2ban.actions: WARNING [courierlogin] Ban
20010-08-11 18:39:06,765 fail2ban.actions: WARNING [courierimap] Ban

You can also check your firewall to see if any hosts are currently blocked. Simply run

iptables -L

For services that use TCPWrappers to block hosts, take a look at /etc/hosts.deny.


About the Author

You may also like these