Protecting servers with fail2ban – basic installation

Fail2Ban

Fail2ban helps a lot to get rid of unwanted traffic to your server which cleans your log files a lot. In this post I will describe how to setup fail2ban on your server.

Introduction

This and all related posts describe setup of fail2ban version 0.9.x. Since configuration and also fail2ban capabilities have changed heavily, this cannot be easily transferred to 0.8. Anyway you want to have 0.9.x on your system due to the improved features. Unfortunately most current distributions come with 0.8.x in their repositories.

Installing fail2ban

If your distribution comes with 0.9.x you can directly install it from there. Otherwise make sure you have not installed any version of fail2ban from your distribution and follow one of the two methods described below.

Installation from archive

Download the latest 0.9-archive from fail2ban – e.g. 0.9.1.tar.gz. Unzip it to any new folder you like.

wget https://github.com/fail2ban/fail2ban/archive/0.9.1.tar.gz
tar xvf 0.9.1.tar.gz
cd fail2ban-0.9.1

Then continue with the installation process described in execute installation below. .

Installation from git sources

You can also directly check out from get sources. Unfortunately there is no branch available covering the latest 0.9.x version. So you will always update to the latest version which could be very unstable.  The following steps can be executed in any directory you want.

git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban

Execute installation

Inside the created fail2ban created directory execute the following statement

python setup.py install

This will install fail2ban on your system, create the binaries in e.g. /usr/local/bin and copy the needed configuration files to /etc/fail2ban.

Basic configuration

Fail2ban comes with preconfigured config files. But these files should not be changed directly because this could lead to configuration issues while updating your fail2ban installation. Instead you can create your own configuration file ending with .local instead. If fail2ban finds a local version of a configuration file it will prefer the configured values from this file over the default ones.

Create your own copy of the main configuration file. (you need to do this as root, as the files belong root).

cd /etc/fail2ban
cp jail.conf jail.local

All configuration made in jail.local have global effects. Some of them can be overwritten per jail later. Open the configuration file with your favorite text editor to edit the file as follows.

ignoreip

The parameter configures all IP addresses which should be ignored. This way you can ensure you do not kick your self out of your own system.

ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx yyyy.yyyy.yyyy.yyyy

bantime

Using the parameter bantime you can configure how long (in seconds) an IP is blocked, after a malicious behavior was detected. The default value is 600 seconds, so 10 minutes. I think this value is too small – I prefer to use 86400 (1d).

maxretry

The parameter maxretry configures how many malicious actions must be found before fail2ban raises an action. The default value is a count of 5. I prefer to set this value to 3 globally. As mentioned below, it can be configured be rule if needed.

findtime

Parameter findtime configures in which timeframe an event must reoccur to be counted as malicious. The default value is 600 seconds, so 10 minutes. If fail2ban e.g. finds 3 (see parameter maxretry) failed login attempts within 10 minutes, it will raise an action. If the 3rd login attempt is executed later then 10 minutes after the first one, fail2ban will not react on any of the three login attempts. I usually keep this value.

enabled

By default we will disable all rules by setting this value to false. Otherwise all configured rules (also inside the jail.conf) would be active. We will set this value for each rule we have configured successfully.

sender and destemail

Fail2ban can send an email in case it has blocked an IP address. The two parameters configure which email address is used to send the email (sender) and to which email address the email is send (destmail).

action

Fail2ban defines several actions what should be done, in case an IP address has been identified to execute malicious activities. For this post we will ban the IP address using iptables features.

action = %(action_)s

First start

With this default configuration fail2ban can be started the first time – even tough it will not ban any IP yet. Make sure the following directory exists

ls -la /var/run/fail2ban

If it does not exist, create it (as root)

mkdir /var/run/fail2ban

Try to start the server using the following command (as root)

fail2ban-client start
Then test the communication using
fail2ban-client ping

If the answer is

Server replied: pong

fail2ban is running perfectly.

The next post is how to analyze which services need to be protected using fail2ban.