Time for fail2ban installation

As i see auth.log is filled with brute force attack on all services that are open to the internet its always good to have protection and fail2ban provides good features to be able to minimize those attacks. fail2ban will alter iptables configuration on the fly on predefined number of unsuccessful login attempts. In the beginning i will configure fail2ban to alter iptables locally on my server but will change that so it is my gateway (mikrotik) that will be the firewall that blocks the banned IP’s. But first installation of fail2ban locally only.

First installation of fail2ban.

Pretty easy installation part, now for the configuration. Fail2ban keeps its configuration in /etc/fail2ban and the file jail.conf but we want to copy the jail.conf to jail.local to protect ourself during updates so that our config will not be overwritten and do our configuring in jail.local

When we have copied the file we just open it with our personal editor, for me it has always been nano

There are some configuration that i do to suite my needs, under [DEFAULT] which is applied to all services that do not have their own specified configs.

I ignore my internal network and localhost from being banned. Altho that means one of my internal devices can be used without getting banned i want this atleast now while im configuring so that i wont myself my mistake get banned.

I have as default bantime 10 minutes and during the last 10 minutes 3 attemps have been made for ban to kick in.

 

Under [ACTION] i have not changed anything at this moment. Lets skip to the jails or the individual services we want to monitor.

At this moment i only have one service i monitor, SSH. Here i have set enabled = true and specified the services own bantime,findtime and maxretrys which will override the [DEFAULT] (yes i know they are the same now) Also we specify which logfile fail2ban will monitor for the unsuccessful login attempts.

ssh jail filters logfiles can be found under /etc/fail2ban/filter.d/ and the file sshd.conf where its configured how the filter ssh reads the log file to find the unsuccessful logins we are after.

After this has been done, i moved on to the firewall on the server, as i have another firewall acting as gateway with forwarded traffic to the server i dont as normally configure the firewall to only let in the specific traffic, i for now leave it open and only block the IP’s that fail2ban bans. Otherwise i would allow established connection from the server, SSH traffic and webtraffic to the server then drop all other traffic but as i have an firewall before my server i leave it open and only block what i dont want. The fail2ban service will add some rules to iptables direct traffic to different chains and letting the traffic flow right back into the INPUT chain.

fail2ban will add a rule for each ban rejecting that ip address.

After all configuring has been done time to restart the service and test if it works.

Time for testing but that was not necessary for me as just a few minutes after restarting fail2ban i checked iptables with the command iptables -s and i had my first ban.

 

 

All these posts i have done from my memory, First i was not going to write these down but then maybe i remember them easier for the nextime if i write them. So installing fail2ban was done few days ago so they are not so specific but all the configuring i have done are there and i will try from now on write these posts as i do the installation and configuring.

Next step in this project was fail2sql so that i will get my SQL populated for the future.

One thought to “Time for fail2ban installation”

  1. please help
    I’ve configured jail.local on [ssh] and I’ve got the ip blocked and the logs in /var/log/auth.log have been read, but the fail2sql database is still empty. .
    what is less than my configuration?
    thank you

Leave a Reply

Your email address will not be published. Required fields are marked *