Difference between revisions of "Fail2Ban"

Latest revision as of 06:41, 30 May 2024

Fail2Ban Installation and Configuration

Overview

Fail2Ban is a log-parsing application that protects Linux servers from brute-force attacks by monitoring system logs and banning IP addresses that exhibit malicious behavior. This guide covers the installation and configuration of Fail2Ban on a Linux server.

Installation

On Debian/Ubuntu

To install Fail2Ban on Debian-based distributions, use the apt package manager:

<syntaxhighlight lang="bash"> sudo apt update sudo apt install fail2ban -y </syntaxhighlight>

On RHEL/CentOS

To install Fail2Ban on Red Hat-based distributions, use the yum or dnf package manager:

sudo yum install epel-release -y
sudo yum install fail2ban -y

Configuration

Basic Configuration

Fail2Ban's configuration files are located in /etc/fail2ban. The main configuration file is jail.conf, but it is recommended to create a local copy called jail.local to avoid overwriting custom settings when the package is updated.

1. Create the jail.local file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

2. Edit the jail.local file:

Open the file with your preferred text editor:

sudo nano /etc/fail2ban/jail.local

Configure the following basic settings:

[DEFAULT]
# "ignoreip" can be a list of IP addresses that you want to ignore (e.g., your own IP).
ignoreip = 127.0.0.1/8 ::1
bantime  = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 3

ignoreip: IP addresses that should never be banned.
bantime: Duration (in seconds) for which the IP is banned.
findtime: The time period (in seconds) during which the maxretry count must occur to trigger a ban.
maxretry: Number of failed login attempts before the IP is banned.

Enabling and Starting Fail2Ban

1. Enable Fail2Ban to start on boot:

sudo systemctl enable fail2ban

2. Start the Fail2Ban service:

sudo systemctl start fail2ban

3. Check the status of the service:

sudo systemctl status fail2ban

Custom Filters and Actions

Fail2Ban uses filters to detect malicious behavior and actions to respond to it. Filters are located in /etc/fail2ban/filter.d and actions in /etc/fail2ban/action.d.

Creating a Custom Filter

1. Create a new filter file:

sudo nano /etc/fail2ban/filter.d/custom-filter.conf

2. Define the filter:

[Definition]
failregex = <custom regex>
ignoreregex =

3. Add the filter to jail.local:

[custom-service]
enabled = true
port    = <port>
filter  = custom-filter
logpath = /path/to/logfile
maxretry = 3

Creating a Custom Action

1. Create a new action file:

sudo nano /etc/fail2ban/action.d/custom-action.conf

2. Define the action:

[Definition]
actionstart = <command to start action>
actionstop = <command to stop action>

3. Add the action to jail.local:

[custom-service]
action = custom-action

Monitoring and Managing Fail2Ban

Check Fail2Ban Status

To view the current status of jails and banned IP addresses:

sudo fail2ban-client status

To check the status of a specific jail:

sudo fail2ban-client status sshd

Unban an IP Address

To unban an IP address:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Additional Resources

For more detailed information and advanced configurations, refer to the official Fail2Ban documentation.

@@ Line 1: / Line 1: @@
-Placeholder content, page coming soon.
+== Fail2Ban Installation and Configuration ==
+=== Overview ===
+Fail2Ban is a log-parsing application that protects Linux servers from brute-force attacks by monitoring system logs and banning IP addresses that exhibit malicious behavior. This guide covers the installation and configuration of Fail2Ban on a Linux server.
+=== Installation ===
+==== On Debian/Ubuntu ====
+To install Fail2Ban on Debian-based distributions, use the <code>apt</code> package manager:
+<syntaxhighlight lang="bash">
+sudo apt update
+sudo apt install fail2ban -y
+</syntaxhighlight>
+==== On RHEL/CentOS ====
+To install Fail2Ban on Red Hat-based distributions, use the <code>yum</code> or <code>dnf</code> package manager:
+ <nowiki>
+sudo yum install epel-release -y
+sudo yum install fail2ban -y
+ </nowiki>
+=== Configuration ===
+==== Basic Configuration ====
+Fail2Ban's configuration files are located in <code>/etc/fail2ban</code>. The main configuration file is <code>jail.conf</code>, but it is recommended to create a local copy called <code>jail.local</code> to avoid overwriting custom settings when the package is updated.
+. '''Create the <code>jail.local</code> file:'''
+ <nowiki>
+sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+ </nowiki>
+. '''Edit the <code>jail.local</code> file:'''
+Open the file with your preferred text editor:
+ <nowiki>
+sudo nano /etc/fail2ban/jail.local
+ </nowiki>
+Configure the following basic settings:
+ <nowiki>
+[DEFAULT]
+# "ignoreip" can be a list of IP addresses that you want to ignore (e.g., your own IP).
+ignoreip = 127.0.0.1/8 ::1
+bantime  = 3600
+findtime = 600
+maxretry = 5
+[sshd]
+enabled = true
+port    = ssh
+filter  = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+ </nowiki>
+* <code>ignoreip</code>: IP addresses that should never be banned.
+* <code>bantime</code>: Duration (in seconds) for which the IP is banned.
+* <code>findtime</code>: The time period (in seconds) during which the <code>maxretry</code> count must occur to trigger a ban.
+* <code>maxretry</code>: Number of failed login attempts before the IP is banned.
+==== Enabling and Starting Fail2Ban ====
+. '''Enable Fail2Ban to start on boot:'''
+ <nowiki>
+sudo systemctl enable fail2ban
+ </nowiki>
+. '''Start the Fail2Ban service:'''
+ <nowiki>
+sudo systemctl start fail2ban
+ </nowiki>
+. '''Check the status of the service:'''
+ <nowiki>
+sudo systemctl status fail2ban
+ </nowiki>
+==== Custom Filters and Actions ====
+Fail2Ban uses filters to detect malicious behavior and actions to respond to it. Filters are located in <code>/etc/fail2ban/filter.d</code> and actions in <code>/etc/fail2ban/action.d</code>.
+===== Creating a Custom Filter =====
+. '''Create a new filter file:'''
+ <nowiki>
+sudo nano /etc/fail2ban/filter.d/custom-filter.conf
+ </nowiki>
+. '''Define the filter:'''
+ <nowiki>
+[Definition]
+failregex = &lt;custom regex&gt;
+ignoreregex =
+ </nowiki>
+. '''Add the filter to <code>jail.local</code>:'''
+ <nowiki>
+[custom-service]
+enabled = true
+port    = &lt;port&gt;
+filter  = custom-filter
+logpath = /path/to/logfile
+maxretry = 3
+ </nowiki>
+===== Creating a Custom Action =====
+. '''Create a new action file:'''
+ <nowiki>
+sudo nano /etc/fail2ban/action.d/custom-action.conf
+ </nowiki>
+. '''Define the action:'''
+ <nowiki>
+[Definition]
+actionstart = &lt;command to start action&gt;
+actionstop = &lt;command to stop action&gt;
+ </nowiki>
+. '''Add the action to <code>jail.local</code>:'''
+ <nowiki>
+[custom-service]
+action = custom-action
+ </nowiki>
+=== Monitoring and Managing Fail2Ban ===
+==== Check Fail2Ban Status ====
+To view the current status of jails and banned IP addresses:
+ <nowiki>
+sudo fail2ban-client status
+ </nowiki>
+To check the status of a specific jail:
+ <nowiki>
+sudo fail2ban-client status sshd
+ </nowiki>
+==== Unban an IP Address ====
+To unban an IP address:
+ <nowiki>
+sudo fail2ban-client set sshd unbanip &lt;IP_ADDRESS&gt;
+ </nowiki>
+=== Additional Resources ===
+For more detailed information and advanced configurations, refer to the official [https://www.fail2ban.org/wiki/index.php/Main_Page Fail2Ban documentation].