fail2Ban is a very handy tool to prevent alot of unwanted traffic from consuming bandwidth on your servers. It’s a very small and relatively simple IDS Type Tool that comes with some predefined Filters to automatically lock out potentially dangerous or bandwidth consuming type attacks.
This tutorial covers basic installation and setup along with giving you an example of a simple custom filter to help you on the way to writing your own custom Event Based Blocking rules (filters) for use across the applications you run.
The installation is described at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Debian I used apt-get and it went painlessly
$ sudo apt-get install fail2ban
I’m on Ubuntu 12.04 and the install location is /etc/fail2ban. Log location for jail’s is located /var/log/fail2ban.log.
filters, actions and jails
fail2ban uses the concept of filters, actions and jails.
- Filters are the regular expressions you want to look for
- Actions are the steps you want to take when you find something.
- Jails are what you create to tie together a log file, a filter and an action
Don’t edit the .conf files you find. Instead, create a .local file of the same name for your settings. The settings that you specify in the .local will override the .conf, and you will not be troubled by upgrades.
fail2ban should have installed itself in /etc/fail2ban. Take a look at the jail.conf file and you will see some of the jails are already enabled by default, such as the ssh. The first thing you may want to do is enable some of the others.
Enabling a Predefined Jail
Don’t edit the jail.conf. Rather create a jail.local in the same directory to override the .conf settings. You can copy the whole file, but I recommend just copying the relevant section setting the enabled to true. (You can also turn jails off in this fashion for ones that are enabled by default).
# HTTP servers
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
Since no action is explicitly specified, the default action is taken. That action is defined at the top of the jail.conf and is currently to use ban the hacker’s IP address for a short while using iptables. If you are not using iptables, you may wish to do so or to take a more advanced action.
The real power of fail2ban comes when you create custom filters, actions and jails. I use as an example how to look at pure-FTPd logs and issue a block to the router, effectively blocking the offending IP Address from your entire network.
Creating a Custom Filter
The basic goal is to find a specific error message and an IP address associated with it. Examine the log file you are concerned about.
In my case pure-FTPd logs to /var/log/messages and it had entries such as:
# Aug 8 17:43:10 NAS pure-ftpd: (?@126.96.36.199) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
# Aug 8 15:05:45 NAS pure-ftpd: (?@192.168.1.148) [WARNING] Authentication failed for user [schmoe]
Then go to the filter.d directory and create a new file named pure-ftpd-TLS.local. You’re looking put in the error message and replace the IP address with the fail2ban reserved word <HOST>. Here’s an example:
failregex = pure-ftpd: \(.+?@<HOST>\) \[WARNING\] Sorry, cleartext sessions are not accepted on this server
pure-ftpd: \(.+?@<HOST>\) \[WARNING\] Authentication failed for user
The interesting part is the \(.+?@<HOST>\). This is an escaped “(” a “.+” the characters “?@” and then the keyword <HOST>. The “.+” is important for the regex because there can be a username in front of the “@”. The <HOST> is specific to fail2ban and is required for it to know what IP to take action against.
There are other features you can take advantage of (though not well documented) but this example represents the minimum approach.
Creating a Custom Action
You can think of an action file as a collection of commands. Some you want to issue when fail2ban starts, others when it stops so as to clean up after itself. They are contained in the action.d directory. The predefined iptables-multiport.conf is great one to start with. The iptables-allports.conf takes it a step further and you may want to do that instead.
Banning at the Boarder example
To modify it to work with a tomato based router, simply paste a
ssh root@tomato '....' command in front of the existing iptable commands. And make sure to enable ssh logins on the router and place the hosts public key in the authorized_keys file
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = ssh root@tomato 'iptables -t nat -I fail2ban-<name> 1 -s <ip> -j DROP'
Note the addtion of
-t nat after the iptable command. This is needed because this is being used on a router, as opposed to something that wasn’t forwarding traffic.
Since iptable’s order of inspection is 1) mangle table’s PREROUTING chain, 2) nat table’s PREROUTING, 3) filter table’s FORWARD or back to mangle table’s INPUT chain, it made sense to cut it off at step 2 were I could use one rule for both the firewall itself and the protected network.
See the attached file at the bottom for all the rule changes needed.
Creating a New Jail
To turn on a jail you will create a jail.local file. In mine I changed the default ban action to the new action I just created and created a jail for Pure-FTPd. In both cases you simply use the file name without the extension to identify the filter and action file you want to use,
# (Default banning action)
[DEFAULT]banaction = iptables-allports-router
enabled = true
port = all
filter = pure-ftpd-TLS
logpath = /var/log/messages
maxretry = 5
Checking the status of a jail
$ sudo fail2ban-client status
|- Number of jail: 2
`- Jail list: pure-ftpd-TLS, ssh
It’s a good idea to test your filter. For instance, the default filter for pure-ftpd is set up for an older release and does not work. Do this by creating a couple intentionally failed log on attempts, then use the utility fail2ban-regex like so
$ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/pure-ftpd-TLS.local
If you try and start fail2ban manually or check it’s status, you’ll see a variation of this error message
$ /etc/init.d/fail2ban start
* Socket file /var/run/fail2ban/fail2ban.sock is present
This is because you must
sudo commands to fail2ban in some distros (ubuntu at least)
Sometimes fail2ban starts, but aborts as soon as I ask it what it’s status is. The way to see the error is to start the server in console mode, and ask it via another shell what its status is. Do that with
# /usr/bin/fail2ban-server -x -f
In one shell and in another
$ fail2ban-client status pure-ftpd-TLS
You may find that fail2ban must be run with python2.4 when on an arm architecture, for things such as the DNS-323
$ apt-get install python2.4
$ python2.4 /usr/bin/fail2ban-server -x -f
ln -s /usr/bin/python2.4 /usr/bin/python
Blocking all ports V/S specific ones
I choose to block all ports. This means if you fail to login to FTP you are totally banned, rather than just be blocked from FTP. This is somewhat heavy handed as I deny all services based on one service’s attempted exploit. However the exterme is to block an entire subnet. The suspicion being that where there is one ‘bot there is probably more.