devoalda
/
devoalda.gitlab.io
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
devoalda.gitlab.io/content/en/posts/fail2ban.md

3.3 KiB
Executable File
Raw Blame History

author authorEmoji title description date draft hideToc enableToc enableTocContent image tags categories series
Devoalda 🐺 Fail2ban Guide to setup fail2ban on Linux Workstations/Servers 2020-07-05T12:34:33+08:00 false false true true images/postImages/Hammer.png
linux
arch
program
fail2ban
linux
program
Linux Programs

Introduction

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

I have Fail2Ban set up on my personal workstation to help protect my machine from bruteforce attacks. Fail2Ban is a free and open source software that helps in securing your Linux server against malicious logins. If you have set up an SSH server on your machine, you might find a huge number of IPs trying to login to your machine via SSH, hence Fail2Ban will be able to protect your system from unwanted malicious logins.

Installation

Install fail2ban on machine

yay -S fail2ban

Note that I use Arch, and use yay as my package manager. Fail2Ban should be in many of the popular repositories.

Configuration

Edit /etc/fail2ban/jail.local file

sudo vim /etc/fail2ban/jail.local

Insert the following

[DEFAULT]
bantime = 1d

Edit /etc/fail2ban/jail.d/sshd.local

sudo vim /etc/fail2ban/jail.d/sshd.local

Insert the following

[sshd]
enabled   = true
filter    = sshd
banaction = ufw
backend   = systemd
maxretry  = 5
findtime  = 1d
bantime   = 2w
ignoreip  = 127.0.0.1/8

Command Syntax

  • banaction - Specify firewall used (iptables ufw etc)
  • maxretry - Able to lower if you want
  • ignoreip - Insert IP Addresses to ignore

Edit file /etc/systemd/system/fail2ban.service.d/override.conf

sudo vim /etc/systemd/system/fail2ban.service.d/override.conf

Add the following

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
NoNewPrivileges=yes
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

Edit file /etc/fail2ban/fail2ban.local with the correct logtarget path

sudo vim /etc/fail2ban/fail2ban.local

Add the following

[Definition]
logtarget = /var/log/fail2ban/fail2ban.log

Create directory /var/log/fail2ban/ as root

sudo mkdir /var/log/fail2ban/

Start and enable fail2ban.service

systemctl daemon-reload
systemctl start fail2ban
systemctl enable fail2ban

Restart fail2ban-client and view status

sudo fail2ban-client restart
sudo fail2ban-client status