Managed Hosting for Demanding Customers
USA +1(770)448 2100 | UK +44(0)20 81336940
Knowledgebase
Protecting Your Server With Fail2ban
Posted by Roger Orellana on 15 June 2017 04:08 PM

Fail2ban was created by Cyril Jaquier in 2004 to protect his Linux home server by blocking log-in attempts over SSH. The script was designed to find failed log-in attempts in the SSH log and ban the offender’s source IP in the Linux firewall (iptables).

Over the years, fail2ban has been significantly improved and can now be used for any service that uses logs and is subject to compromise. SSH is still the only service that fail2ban uses by default, but It comes with about 80 filters and 50 actions that can be easily activated for other services such as Apache, exim, etc.


CHECKING THE STATUS OF FAIL2BAN

Depending on when it was provisioned, your eApps Cloud Server or Elastic VPS may have fail2ban already installed. If so, your eApps installation of fail2ban is setup to monitor SSH, FTP, and Exim services by default. If you are not sure if fail2ban is installed on your server, run the following command as root user on a CentOS server:

yum install -y fail2ban

Check if the service is running:

service fail2ban status

And start it if not:

service fail2ban start


Just after the installation you can check which services are being monitored by fail2ban using the fail2ban-client command:

[root@web1 ~]# fail2ban-client status

Status

|- Number of jail:   5

`- Jail list:   exim, exim-spam, proftpd, sshd, sshd-ddos

A jail combines an action and a filter for each service being monitored. For example, you can define a ban time and the max number of entries.


CONFIGURING FAIL2BAN

The default configuration file is /etc/fail2ban/jail.conf. Let's modify a few of the default settings:

ignoreip = 127.0.0.1/8

NOTE: We can add our own public IP address or known IPs that connect to the server and these will be ignored by fail2ban. This means it will never be banned. This is useful while using SSH or (S)FTP clients.

bantime  = 600

The default bantime is 600 seconds or 10 minutes. If the server is under attack that is too short. It is better to increase the bantime to 1 hour or 3600 seconds.

findtime  = 600

This defines the period of time where fail2ban while check and count the "maxretry" before banning an IP. You may want to increase this to 3600, too.

maxretry = 5

The number of failed attempts before ban an IP. You can reduce that to 3 and increase the findtime.

After editing the main configuration file for fail2ban you need to restart the service in order to apply the changes. Do note that those changes will apply to all the jails.

service fail2ban restart

NOTE: Sometimes, just after restarting the service you will notice a high CPU load on your server. This is normal since fail2ban needs to re-read all the logs and possibly ban offenders.


CHECKING BANNED IPS

If you want to monitor the fail2ban status you have two options:

1. Check the log file
/var/log/messages or
2. The
fail2ban-client command.


Let's take a look at the log file:

[root@web1 ~]# tail /var/log/messages

May XX 20:54:46 web1 fail2ban.actions[25996]: NOTICE [sshd] Ban 186.170.YYY.XXX

May XX 21:00:36 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:38 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:39 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:41 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:43 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:43 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:44 web1 fail2ban.actions[25996]: NOTICE [sshd] Ban 156.213.YYY.XXX

May XX 21:00:45 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX

May XX 21:00:45 web1 fail2ban.filter[25996]: INFO [sshd] Found 156.213.YYY.XXX


Here we can see two banned IPs: 186.170.YYY.XXX and 156.213.YYY.XXX Both related to the SSHD service

Similar information is reported by the fail2ban-client command. However, in this case, we need to check the correspondent jail: sshd. Also, we can see what is the log file that fail2ban is reading for the sshd jail: /var/log/secure

[root@web1 ~]# fail2ban-client status sshd

Status for the jail: sshd  

|- Filter   

|  |- Currently failed: 1  

|  |- Total failed: 8                                                                

|  `- File list:     /var/log/secure  

`- Actions  

  |- Currently banned: 2

  |- Total banned: 2

  `- Banned IP list:   186.170.YYY.XXX 156.213.YYY.XXX


CREATING CUSTOM FILTERS AND JAILS

We can create our own jails to improve the security according to our needs. To do that we need to add the jail definition on /etc/fail2ban/jail.local or by creating individual files under /etc/fail2ban/jail.d/*.local, these are read alphabetically by fail2ban.

One of the most common attacks that we used to see on a daily basis is the XMLRPC DDOS attack. This is not just an incoming attack but your server can be used to conduct outgoing DDOS attacks, too.

In order to prevent such attack we can add a filter and a jail to fail2ban.

  1. Create the filter /etc/fail2ban/filter.d/apache-xmlrpc.conf and add the following content:

[Definition]

failregex = ^<HOST> -.*"(GET|POST).*\/xmlrpc\.php.* HTTP\/.*

ignoreregex =

This is just a regular expression that fail2ban will use while reading the log file. That will be defined on the jail.

  1. Add the jail at the end of /etc/fail2ban/jail.local with the following content:

# Block xmlrpc
[apache-xmlrpc]

enabled  = true
port     = http,https
filter   = apache-xmlrpc
action   = iptables-multiport[name=auth, port="http,https"]
logpath  = /var/www/httpd-logs/*.access.log
#logpath  = /etc/httpd/logs/*access_log
#logpath = /home/*/*/access_log
#logpath = /var/www/*/data/logs/*access.log
maxretry = 3
bantime  = 604800
findtime = 3600


The most important part is the logpath which is the access log for the website. This will vary depending on your configuration. The lines commented are most common path for the access log. You will need to review your setting in order to use the correct one or add it.

Fail2ban will check http and https entries and if it detect 3 XMLRPC attempt in the lapse of one hour, it will ban the offending IP for one week (604800 seconds)

You can adjust these values to be more or less restrictive.

NOTE: Remember that you need to restart the fail2ban service to apply this new filter and jail.

More information can be found at Fail2ban official page:

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal


Have questions? Contact us at:

sales@eapps.com - for sales inquires
support@eapps.com - for technical support assistance

***** FIND US, FOLLOW US, CONNECT WITH US *****

https://facebook.com/eappshosting
https://twitter.com/eapps
https://www.linkedin.com/companies/eapps
https://plus.google.com/+eAppsHosting/posts


(4 vote(s))
Helpful
Not helpful