Rob's web

fail2ban

Installation

# dnf install fail2ban

Configuration

The deamon is configured but if you want to make changes you shloud not do it in the .conf files.

# ll /etc/fail2ban/
drwxr-xr-x. 2 root root  4096 Oct 26 13:55 action.d
-rw-r--r--. 1 root root  3017 Feb 23  2024 fail2ban.conf
drwxr-xr-x. 2 root root     6 Feb 23  2024 fail2ban.d
drwxr-xr-x. 3 root root  4096 Oct 26 14:56 filter.d
-rw-r--r--. 1 root root 25607 Feb 23  2024 jail.conf
drwxr-xr-x. 2 root root    53 Oct 26 15:23 jail.d
-rw-r--r--. 1 root root  2728 Feb 23  2024 paths-common.conf
-rw-r--r--. 1 root root   930 Feb 23  2024 paths-fedora.conf
# cd /etc/fail2ban/
# cp fail2ban.conf fail2ban.local
# cp jail.conf jail.local
# vi jail.local
[DEFAULT]
bantime = 1h
maxretry = 3
# cd jail.d/
# cp 00-firewalld.conf 00-firewalld.local
# vi 00-firewalld.local

Our system use firewalld and not iptables. So we need to change iptables settings.

Find the following lines:

banaction = iptables-multiport
banaction_allports = iptables-allports

If they exists and replace them with the following lines:

banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

At this point, fail2ban is configured to work with Firewalld.

Settings in jail.local are global.

Starting

# systemctl start fail2ban
# systemctl enable fail2ban

Additional configuration

Where the jail.conf is the main configuration file with all available options. The jail.conf contains jail configuration for many services like, HTTP, FTP, SSH, Squid, Monit, Horde, Drupal and more. You just need to add "enabled = true" below each jail configuration section to enable the specific jail.

Now we setup the services we want to protect with fail2ban.

By default nothing is added. We have to add wat we need in the /etc/fail2ban/jail.d directory.

Bantime is in seconds. Default is automatic with increase. You can set it for the jail to a fixed value.

Restart after changes and check that it works

# systemctl restart fail2ban
# fail2ban-client status
# fail2ban-client status <jail>

You can find the logs in /var/log/fail2ban.log.

Let start with SSH.

Configure fail2ban for SSH

To manually configure fail2ban for SSH, you will need to create a jail.local file:

# vi /etc/fail2ban/jail.d/sshd.conf

Add the following lines:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 120
ignoreip = whitelist-IP

We have a different bantime and maxtrys for sshd.

Save it and restart fail2ban.

# systemctl restart fail2ban
# fail2ban-client status
# fail2ban-client status sshd
# fail2ban-client get sshd maxretry
3
# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-rich-rules
# 

Extra security

We have now protection for ssh abuse. You can do more.

If your router has a builtin VPN server you can keep the ssh port on the router closed and only connect to sshd via the VPN tunnel from you workstation. In the LAN your server can be accessed and is protected with fail2ban.

Configure fail2ban for wordpress

To protect the WordPress admin panel with fail2ban, you will need to download the fail2ban filter configuration file for WordPress. You can download it with the following command:

# wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf

Next, create a jail for WordPress by editing the file jail.local:

# vi /etc/fail2ban/jail.d/wordpress.conf

Add the following lines:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/httpd/blog.example.com-access_log
maxretry = 3
port = http,https
bantime = 300

Configure fail2ban for postfix

The mandatory parameters are show in the jail below.

You can find a part of it in /etc/fail2ban/jail.conf

[postfix]
enabled = true
filter = postfix
port    = 25, 465, 587
logpath = /var/log/maillog.log
backend = %(postfix_backend)s

How to check the status of the jail

# fail2ban-client status
Status
|- Number of jail:      4
`- Jail list:   dovecot, postfix, sshd, wordpress

# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Testing the system

At this point, fail2ban is configured to protect the SSH service. Now, it's time to check whether fail2ban is working.

Now, go to the remote machine and try to connect to the SSH server with an incorrect password. After reaching the max number of retries (5 times), your IP address will be blocked by fail2ban.

Now, check the IP address blocked by fail2ban using the following command:

# fail2ban-client status sshd

You should get the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	6
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	27.61.171.115

You can check the rules added by Firewalld with the following command:

# firewall-cmd --list-rich-rules

You will get the following output:

rule family="ipv4" source address="27.61.171.115" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

You can also check the fail2ban logs for more information:

# tail /var/log/fail2ban.log

Sample output:

2021-11-17 10:37:21,837 fail2ban.filter         [21186]: INFO    [sshd] Found 27.61.171.115 - 2021-11-17 10:37:21
2021-11-17 10:37:21,859 fail2ban.actions        [21186]: NOTICE  [sshd] Ban 27.61.171.115
2021-11-17 10:37:27,220 fail2ban.filter         [21186]: INFO    [sshd] Found 27.

Manually banning IP-addresses

If you want to block any remote IP address manually for SSH service, run the following command:

# fail2ban-client set sshd banip <remote-ip-address>

You can also check the Iptables rules added by fail2ban with the following command:

# iptables -nL

How to unban IPs banned by fail2ban

By default, fail2ban automatically unban the banned IPs at a predefined interval of time which you have specified in jail.local file.

To unban the banned IP manually, run the following command:

# fail2ban-client set sshd unbanip remote-ip-address

You can also add the trusted remote IPs in the jail.local file so that fail2ban will ignore those IPs.

# vi /etc/fail2ban/jail.local

Add the following lines at the top of the file:

[DEFAULT]

ignoreip = trusted-ip1 trusted-ip2

Save and close the file. Then, restart fail2ban to apply the configuration.

# systemctl restart fail2ban

Links