More on fail2ban
A while ago I blogged about a SSH attack – this had been going on unnoticed for some time. Taking my typical fire-and-forget (gently forced by a busy family life) I simply installed fail2ban and did nothing else. Finally I was in a position where I had to research fail2ban a little more to figure out how to make it work.
What is fail2ban?
It’s a python script (that runs as a daemon) which monitors log files in your /var/log file. It monitors them for specific entries, for example “Failed password”, and then updates iptables rules to deny network access for the offending IP for a configured amount of time.
A good example of this is that if you try to ssh into my system three times unsuccessfully, you won’t be able to try again for 10 minutes. This is sufficient to make automated brute force attacks useless.
Do you need it?
If you have a public-facing server with the ability to log into it (including web applications even) then you need this. If you’re curious to see if you’ve been targeted for attacks, try running these commands as root on your server:
cat /var/log/auth.log | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c zcat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
The first command examines your current auth.log file and the second examines your historical auth.log.[0-9] files. In my recent history (prior to configuring fail2ban properly) I had over 6,000 failed SSH login attempts on a single day just after Christmas.
What next?
The steps are:
bob@server:~$ sudo apt-get install iptables fail2ban bob@server:~$ sudo /etc/init.d/fail2ban start
Now, you can check to see if it’s working by “pinging” the service:
bob@server:~$ sudo fail2ban-client ping Server replied: pong
And you can get information on what’s currently been banned by examining the ssh “jail” – the jail is term used to describe the configuration and current black list for access from remote hosts:
bob@server:~$ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh bob@server:~$ sudo fail2ban-client status ssh Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 52 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 7
To test everything is working, simply try to log into your system incorrectly three times. When you’ve done this and you look at the results of “fail2ban-client status ssh” you will see your remote IP in the list. To unblock your IP, simply restart the fail2ban daemon (i.e. sudo /etc/init.d/fail2ban restart)
These pages were very useful when reading about fail2ban:
Uncategorized | GuruBob | 
January 15, 2009 10:42 pm
1 Comment
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
Subscribe
By
Paul, June 13, 2009 @ 4:08 am
Hello Bob, why not go two factor and disable password logins?