fail2ban

fail2ban

security > intrusion-prevention > fail2ban

This intrusion detection system can be configured to analyse log files with giving regular expressions and generate firewall rules for different firewalls. Also fail2ban is written in python, which makes it a very portable solution, which can be used under many different operating systems.

Configuration

The configuration is simple: We assume the settings folder of fail2ban to be called /usr/local/etc/fail2ban and this may vary. But inside that folder we have subfolders called action.d, filter.d and jail.d and once one knows how files under jail.d are expected to look like, the configuration becomes relatively trivial:

# /usr/local/etc/fail2ban/jail.d/ssh-pf.local
[ssh-pf]
enabled  = true
filter   = bsd-sshd
action   = pf
#          sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath  = /var/log/auth.log
findtime  = 600
maxretry = 3
bantime  = 3600

This file defines, that there must be another configuration file, called bsd-sshd inside the filter.d folder and you will find many of those filters pre-installed there. After maxretry entries of a given ip address in a given time window are found, the action will be performed. How the action works gets defined in a file under action.d, which is called pf.conf in this example in order to instruct the pf firewall to block the IP address. Porting this script to a linux machine can therefore be done by replacing pf with iptables.

Some example commands

pfctl -t fail2ban -T show        ;# shows the ban table 
pfctl -t fail2ban -T delete [IP] ;# removes [IP] from the ban table

    # In order to test fail2ban regular expressions there is a dedicted tool
    fail2ban-regex --print-all-matched /usr/jails/asterisk/var/log/asterisk/messages /usr/local/etc/fail2ban/filter.d/asterisk.conf
    fail2ban-client status           ;# shows which 'jails' are active, so which jail.d configuration files were understood
    fail2ban-client reload           ;# reloads all rules

## common mistakes

the configuration files under `jail.d` must start with their own name in
square brackets or they will not be loaded and shown in `fail2ban-client
status`
top