Ban if you haven't already with Fail2Ban

Printer-friendly versionPDF version

If your server is public facing, than its going to be attacked in every possible way. Doing something on my server, I noticed I have rotated "auth.log" files over 33MB large unzipped. Ok thats a little too much. I tailed the current file and what do I see :

Dec  7 17:37:58 user sshd[168]: Failed password for root from 103.41.xxx.xxx port 43521 ssh2
Dec  7 17:37:59 usersshd[168]: Failed password for root from 103.41.xxx.xxx  port 43521 ssh2
Dec  7 17:38:02 user sshd[168]: Failed password for root from 103.41.xxx.xxx  port 43521 ssh2


Unbelievable and the redacted IPs are from all over the world. So looks like its time to harden the server again. Quick googling showed me that some of my better options were "fail2ban" and "denyhosts". Fail2ban clearly won, since it could just do a bit more than ssh log watching.

So next just did the following :

sudo apt-get update
sudo apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Scan the configuration file "jail.local" you created above and enable what you feel like you need. Decide what tolerance you want to show these ips. My logs showed that these were just repeat offenders. So I just decided to ban these outright. Some poor soul might be by chance locked out from my server for ever. But hell the probability of that is very remote. Sp I guess I can live with that on my concience. Below are the minimal changes I did to start using fail2ban :

bantime  = -1
maxretry = 6

# Find the ssh entry/jail and enable it
[ssh]
enabled  = true


Since I don't have a configured firewall on the server yet and I wanted to stop the attacks right now before having to configure all that, I need to do one more change as follows:

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = hostsdeny

This will make it use the hosts.deny file on your server. And than just restart the fail2ban service as below:

service fail2ban restart

And wala, observe the banning of these badies in the auth.log and ips appearing in hosts.deny file. If you specify a positive value of bantime, you will eventually also see unban statements for the same ip.

2014-12-15 11:58:28,802 fail2ban.actions: WARNING [ssh] Ban 218.2.xxx.xxx



Thats that for all those trying to crack my server on the ssh port. Not that they had a chance with Dictionary attacks which are the only ones that make sense. Now next task for me is to block these repeat port scanners. Firewall reject rules will definitely also help but I am sure I want to ban these as well. I'll leave that for another day, but hopefully soon.

Here is something I noticed in monitorix after setting this up. The graph is quite encouraging. (Search for the term monitorix on my website if you'd like to know how to set it up)

 

Fail2Ban monitorix graph

 

Tags:

Top level category:

Add new comment