Fail2ban
Fail2ban helps you to protect yourself from brute force attacks coming from a single IP-address by monitoring the log files on your server. Fail2ban can be used - for example - to prevent logging in after a set amount of failed login attempts.
You can get different kinds of filters for Fail2ban which work for instance with Apache, Dovecot, Postfix and SSH.
The problem with Fail2ban is that it does not support IPv6 addresses and does not protect well against distributed brute force attacks.
Sisällysluettelo
Installation
Debian / Ubuntu
aptitude install fail2ban
OR
apt-get install fail2ban
Red Hat / CentOS / Fedora
Download installation package
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install with the command
yum install fail2ban
Configuration
Open /etc/fail2ban/jail.conf
nano /etc/fail2ban/jail.conf
Default settings:
ignoreip = IP-addresses which bypass the filters
bantime = Determines how long an address is kept on the ban list, default is 600 seconds
findtime = Blocks an IP-address if it has failed to login three times consecutively within the set time, findtime
maxretry = How many attempts an address is allowed until it is blocked
Example configuration:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto
This configuration excludes the IP-addresses 192.168.1.1 and 172.0.0.1 (=localhost) from the ban list. Maximum 3 login attempts allowed until address is placed on a 600 second ban list.
And the SSH configuration:
[ssh] # fail2ban-ssh = filter name enabled = true # is filter in use? options are true and false port = ssh # port which can be used for ssh for example port 22 filter = sshd # type of filter. filters can be found from the /etc/fail2ban/filter.d/ directory logpath = /var/log/auth.log # location of logs maxretry = 6 # how many attempts are allowed
Example configurations:
Apache
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
# default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
[apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6
[apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2
SSH
[ssh]
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
By default SSH allows 6 attempts when trying to form a connection, we recommend limiting it to 3 attempts.
port = ssh must be changed if you have changed the SSH default port in the /etc/ssh/sshd.config file.
Proftpd
[proftpd]
enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3
Postfix
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log
[dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
Log File
Fail2ban checks the ban list from the fail2ban log, which can be found under the path /var/log/fail2ban.log
nano /var/log/fail2ban.log
In this file you can see all the logs and attempts made trying to connect to your server.
Example log:
2014-05-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116 2014-05-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100 2014-05-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116 2014-05-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100 2014-05-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164 2014-05-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164
Related info
Additional information
https://www.omaserveri.info/suojaa-ssh-yhteytesi-brute-force-hyokkayksilta/ (Finnish)
Sources
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6