Install fail2ban

Updated on: 14.Dec.2020

Since our server is facing Internet, this means anyone with the correct SSH ID and password will be able to access the server from anywhere. In this case, it will attract someone to try hacking the server by guessing the ID and password. With this consideration, we need to add another layer of protection to after the firewall.

  • To install fail2ban

  sudo apt-get install fail2ban

  • The following package is for saving the firewall policy

  sudo apt-get install iptables-persistent

Configuring fail2ban

  • Then, review the config

  sudo nano /etc/fail2ban/jail.conf

  • Change the following setting in the configuration file and save it.
  ignoreip = 127.0.0.1/8  
  bantime = 10m

For the valid time unit,

s    seconds = 1
m    minutes = 60
h    hours = 3600
d    days = 86400
w    weeks = 604800

  • Then, add the following file
  sudo nano /etc/fail2ban/jail.local

With the following content

  [sshd]
  enabled = true

  # incremental banning time
  bantime.increment = true
  bantime.factor = 1
  bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor

Customizing fail2ban
 
fail2ban allows any customized filter. I found the an article (https://0wned.it/2016/03/21/banning-repeat-offenders-with-fail2ban/) that shows how to do the customization. You may want to do this to automate the battle with the hacking bots.
  • Edit /etc/fail2ban/jail.local by add the following
  # the filter will be created below.
  [repeat-offender]
  enabled = true
  filter = repeat-offender
  port = all
  banaction = iptables-allports
  logpath = /var/log/fail2ban.log
  # Repeat offender if previously banned 3 times within 5 hours.
  maxretry = 3
  findtime = 5h
  # Ban for 48 hours.
  bantime = 48h
  • Create this new file: /etc/fail2ban/filter.d/repeat-offender.conf:
  [Definition]
  failregex = fail2ban\.actions\[\d+\]: WARNING \[.*\] Unban <HOST>$
  ignoreregex = fail2ban\.actions\[\d+\]: WARNING \[repeat-offender\].*$

Customized filter in fail2ban #2
 
After I have enable the SSH key, some guys are still trying their luck to access the server through SSH. In the /etc/log/auth.log file, I saw many of the following lines:

...
Nov 29 20:29:48 myserver sshd[62008]: Received disconnect from 104.248.143.188 port 38968:11: Normal Shutdown, Thank you for playing [preauth]
...
Dec  1 03:22:20 myserver sshd[69945]: Unable to negotiate with 23.239.13.194 port 48784: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
...
Dec  6 16:29:18 myserver sshd[117410]: Invalid user admin from 141.98.9.167 port 33901
...
Dec  6 16:29:10 myserver sshd[117402]: Connection closed by authenticating user root 141.98.9.163 port 44229 [preauth]
...
Dec  7 09:39:14 myserver sshd[121992]: Connection closed by 212.109.195.222 port 52660 [preauth]
...

So, I decided to automate the banning of these IP addresses.
  • Create this new file: /etc/fail2ban/filter.d/my-filter.conf
   [Definition]
   failregex = Received disconnect from <HOST>.*Normal Shutdown, Thank you for playing \[preauth\]$
            Unable to negotiate with <HOST>.*no matching key exchange method found. Their offer.*
            Invalid user .*from <HOST> port .*
            Connection closed by .*<HOST> port .* \[preauth\]$

   ignoreregex =
  • Edit /etc/fail2ban/jail.local by adding the following to the bottom of the file
   [my-filter]
   enabled = true
   filter = my-filter
   port = all
   banaction = iptables-allports
  
   logpath = /var/log/auth.log

   maxretry = 5
   findtime = 5h
   bantime = 48h
  • Save the changes.
  • To test the new filter:
   fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/my-filter.conf

and you will find the result in the console.
  • Restart fail2ban.
Customized filter in fail2ban #3

We are hosting our website (https://ciysys.com) on a cloud server and we don't want the "crazy" web crawler that consumes too much of the bandwidth. After some research in the Internet, we found out that we can block the web crawler by using fail2ban.

For example, we don't want to let petalbot to crawl our website at all (including robots.txt) so that we have a clean web statistics for our marketing team. I found the following log in /var/log/nginx/access.log

...
114.119.136.64 - - [13/Dec/2020:03:33:07 +0000] "GET /robots.txt HTTP/1.1" 301 178 "-" "(compatible;PetalBot;+https://aspiegel.com/petalbot)"
...

So, I decided to create a new fail2ban filter to handle this
  • Create this new file: /etc/fail2ban/filter.d/my-badbots.conf. Basically, the failregex is able to catch multiple bots that is separated with pipe symbol ("|").
   [Definition]
   failregex = <HOST>.*(GET|POST|HEAD).*(PetalBot|otherBots).*

   ignoreregex =
  •  Edit /etc/fail2ban/jail.local by adding the following to the bottom of the file
    [my-badbots]
   enabled = true
   filter = my-badbots
   port = all
   banaction = iptables-allports  
   logpath = /var/log/nginx/access.log
   maxretry = 1
   findtime = 10m
   bantime = 30d
  • Save the changes.
  • To test the new filter:
   fail2ban-regex /var/log/nginx/accesslog /etc/fail2ban/filter.d/my-badbots.conf

and you will find the result in the console.
  • Restart fail2ban.

fail2ban operating commands
  • Finally, restart the service
  sudo systemctl restart fail2ban
  • To check status
  sudo fail2ban-client status
  • Manually ban ip into 'repeat-offender' jail (or any jail that you have setup).
  sudo fail2ban-client set repeat-offender banip 87.251.77.206
  • To view the given jail
sudo fail2ban-client status repeat-offender
  • View the fail2ban log file,
  sudo tail /var/log/fail2ban.log
  • Basically, fail2ban analyze SSH access in the following file,

No comments:

Post a Comment

Subscribe to: Comments (Atom)