Fail2Ban

From Nick's Personal Wiki
Jump to navigation Jump to search

Fail2Ban Installation and Configuration

Overview

Fail2Ban is a log-parsing application that protects Linux servers from brute-force attacks by monitoring system logs and banning IP addresses that exhibit malicious behavior. This guide covers the installation and configuration of Fail2Ban on a Linux server.

Installation

On Debian/Ubuntu

To install Fail2Ban on Debian-based distributions, use the apt package manager:

<syntaxhighlight lang="bash"> sudo apt update sudo apt install fail2ban -y </syntaxhighlight>

On RHEL/CentOS

To install Fail2Ban on Red Hat-based distributions, use the yum or dnf package manager: 

sudo yum install epel-release -y
sudo yum install fail2ban -y

Configuration

Basic Configuration

Fail2Ban's configuration files are located in /etc/fail2ban. The main configuration file is jail.conf, but it is recommended to create a local copy called jail.local to avoid overwriting custom settings when the package is updated.

1. Create the jail.local file: 

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

2. Edit the jail.local file:

Open the file with your preferred text editor: 

sudo nano /etc/fail2ban/jail.local

Configure the following basic settings: 

[DEFAULT]
# "ignoreip" can be a list of IP addresses that you want to ignore (e.g., your own IP).
ignoreip = 127.0.0.1/8 ::1
bantime  = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 3
  • ignoreip: IP addresses that should never be banned.
  • bantime: Duration (in seconds) for which the IP is banned.
  • findtime: The time period (in seconds) during which the maxretry count must occur to trigger a ban.
  • maxretry: Number of failed login attempts before the IP is banned.

Enabling and Starting Fail2Ban

1. Enable Fail2Ban to start on boot: 

sudo systemctl enable fail2ban

2. Start the Fail2Ban service: 

sudo systemctl start fail2ban

3. Check the status of the service: 

sudo systemctl status fail2ban

Custom Filters and Actions

Fail2Ban uses filters to detect malicious behavior and actions to respond to it. Filters are located in /etc/fail2ban/filter.d and actions in /etc/fail2ban/action.d.

Creating a Custom Filter

1. Create a new filter file: 

sudo nano /etc/fail2ban/filter.d/custom-filter.conf

2. Define the filter: 

[Definition]
failregex = <custom regex>
ignoreregex =

3. Add the filter to jail.local: 

[custom-service]
enabled = true
port    = <port>
filter  = custom-filter
logpath = /path/to/logfile
maxretry = 3
Creating a Custom Action

1. Create a new action file: 

sudo nano /etc/fail2ban/action.d/custom-action.conf

2. Define the action: 

[Definition]
actionstart = <command to start action>
actionstop = <command to stop action>

3. Add the action to jail.local: 

[custom-service]
action = custom-action

Monitoring and Managing Fail2Ban

Check Fail2Ban Status

To view the current status of jails and banned IP addresses: 

sudo fail2ban-client status

To check the status of a specific jail: 

sudo fail2ban-client status sshd

Unban an IP Address

To unban an IP address: 

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Additional Resources

For more detailed information and advanced configurations, refer to the official Fail2Ban documentation.

Retrieved from "https://nlear.xyz/wiki/index.php?title=Fail2Ban&oldid=101"