Sunday, September 14, 2008

Secure linux server with fail2ban

I have written shortly about fail2ban earlier, but since fail2ban is so awesome application, I wanted to tell a little more about the application. It works like DenyHosts, which I am planning to test later.

Fail2ban is basically a tool that observers all login attempts to your server thru various services, like SSH, HTTPD, FTP, Telnet (oh god, no telnet, please!). If it finds failed login attempt many times in a row from the same IP / host, it blocks that IP / host with an iptables firewall rule. Handy piece of software, I say!

We're going to configure fail2ban to monitor SSH server, because I'm not using any other open service in my linux server. If you're using proftpd or some else server that requires authentication, it is quite easy to implement the changes to those servers, too!

1) Install fail2ban

Easiest way to install fail2ban is to use yum. As I have said before, it is easy to use yum and you win a lots of time when using it. If you know exactly what you're doing, go ahead and compile your own applications!

yum install fail2ban

Start fail2ban and create system startup links:

/etc/init.d/fail2ban start
chkconfig --levels 235 fail2ban on

2) Configuring fail2ban

Fail2ban configuration files can be found in the /etc/fail2ban directory. The default configuration is in jail.conf file. Take a look and you see it is not hard to understand! You can see [default] section at the beginning of the configuration file. You can override the settings below.

Here's explanations for the settings:

* ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban. For example, if the computer from which you're connecting to the server has a static IP address, you might want to list it here.

* bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

* maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.

* filter: Refers to the appropriate filter file in /etc/fail2ban/filter.d.

* action: Refers to the appropriate action file in /etc/fail2ban/action.d.

* logpath: The log file that fail2ban checks for failed login attempts.

Make sure to replace the email address with your own email address so that you get notified when someone gets blocked by fail2ban.

After you have edited your configuration to the way you want it, restart your fail2ban and you're good to go!

Fail2ban logs to /var/log/fail2ban.log, so you can check that file to find out if/what hosts got blocked. If a host got blocked by fail2ban, it looks like this:

2008-08-08 17:49:09,466 fail2ban.actions: WARNING [sshd] Ban
2008-08-08 18:08:33,213 fail2ban.actions: WARNING [sshd] Ban

You can also check your firewall to see if any hosts are currently blocked. Simply run

iptables -L

For services that use TCPWrappers to block hosts, take a look at /etc/hosts.deny.

No comments: