Fail2ban helps a lot to get rid of unwanted traffic to your server which cleans your log files a lot. In this post I will describe how to setup fail2ban on your server.
Introduction
This and all related posts describe setup of fail2ban version 0.9.x. Since configuration and also fail2ban capabilities have changed heavily, this cannot be easily transferred to 0.8. Anyway you want to have 0.9.x on your system due to the improved features. Unfortunately most current distributions come with 0.8.x in their repositories.
Installing fail2ban
If your distribution comes with 0.9.x you can directly install it from there. Otherwise make sure you have not installed any version of fail2ban from your distribution and follow one of the two methods described below.
Installation from archive
Download the latest 0.9-archive from fail2ban – e.g. 0.9.1.tar.gz. Unzip it to any new folder you like.
wget https://github.com/fail2ban/fail2ban/archive/0.9.1.tar.gz tar xvf 0.9.1.tar.gz cd fail2ban-0.9.1
Then continue with the installation process described in execute installation below. .
Installation from git sources
You can also directly check out from get sources. Unfortunately there is no branch available covering the latest 0.9.x version. So you will always update to the latest version which could be very unstable. The following steps can be executed in any directory you want.
git clone https://github.com/fail2ban/fail2ban.git cd fail2ban
Execute installation
Inside the created fail2ban created directory execute the following statement
python setup.py install
This will install fail2ban on your system, create the binaries in e.g. /usr/local/bin and copy the needed configuration files to /etc/fail2ban.
Basic configuration
Fail2ban comes with preconfigured config files. But these files should not be changed directly because this could lead to configuration issues while updating your fail2ban installation. Instead you can create your own configuration file ending with .local instead. If fail2ban finds a local version of a configuration file it will prefer the configured values from this file over the default ones.
Create your own copy of the main configuration file. (you need to do this as root, as the files belong root).
cd /etc/fail2ban cp jail.conf jail.local
All configuration made in jail.local have global effects. Some of them can be overwritten per jail later. Open the configuration file with your favorite text editor to edit the file as follows.
ignoreip
The parameter configures all IP addresses which should be ignored. This way you can ensure you do not kick your self out of your own system.
ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx yyyy.yyyy.yyyy.yyyy
bantime
Using the parameter bantime you can configure how long (in seconds) an IP is blocked, after a malicious behavior was detected. The default value is 600 seconds, so 10 minutes. I think this value is too small – I prefer to use 86400 (1d).
maxretry
The parameter maxretry configures how many malicious actions must be found before fail2ban raises an action. The default value is a count of 5. I prefer to set this value to 3 globally. As mentioned below, it can be configured be rule if needed.
findtime
Parameter findtime configures in which timeframe an event must reoccur to be counted as malicious. The default value is 600 seconds, so 10 minutes. If fail2ban e.g. finds 3 (see parameter maxretry) failed login attempts within 10 minutes, it will raise an action. If the 3rd login attempt is executed later then 10 minutes after the first one, fail2ban will not react on any of the three login attempts. I usually keep this value.
enabled
By default we will disable all rules by setting this value to false. Otherwise all configured rules (also inside the jail.conf) would be active. We will set this value for each rule we have configured successfully.
sender and destemail
Fail2ban can send an email in case it has blocked an IP address. The two parameters configure which email address is used to send the email (sender) and to which email address the email is send (destmail).
action
Fail2ban defines several actions what should be done, in case an IP address has been identified to execute malicious activities. For this post we will ban the IP address using iptables features.
action = %(action_)s
First start
With this default configuration fail2ban can be started the first time – even tough it will not ban any IP yet. Make sure the following directory exists
ls -la /var/run/fail2ban
If it does not exist, create it (as root)
mkdir /var/run/fail2ban
Try to start the server using the following command (as root)
fail2ban-client start
Then test the communication using fail2ban-client ping
If the answer is
Server replied: pong
fail2ban is running perfectly.
The next post is how to analyze which services need to be protected using fail2ban.