Do you have public facing Linux servers?
Of course you do. Who doesn’t!?!? Or why would you be here if you wouldn’t?
I’m not a big fan of security through obscurity, so I need, or we all need, a way to protect our known public ports.
I know, iptables or any of it’s derivatives are always there, but, what about that one port that must stay opened and accessible? After all, if you didn’t need a public facing service, you wouldn’t need to to make it public, would you?
fail2ban to the rescue
fail2ban is a very useful utility that creates rules on your firewall to block failed authentication attempts. It can be used with any service that generates log files. As an example I will use SSH.
Installation of fail2ban is as easy as it gets. Just make sure you have your repositories up to date and to a yum install fail2ban or apt-get install fail2ban.
First step to configure fail2ban is to copy it’s config file to a .local file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
fail2ban configuration should be done only on the new .local file
In the jail.local file, let’s search for the area [ssh] or [ssh-iptables] depending if you use a Debian base or red hat base distro.
Make sure that it is enabled and the log file is pointing to the right location.
We can also set the ban duration and the number of tries before banning. I like to ban for 1 hour (value in seconds) and after 5 retries.
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-allports ; ban retrys on any port
bantime = 3600 ; ip address is banned for 10 minutes
maxretry = 5 ; allow the ip address retry a max of 10 times
After the configuration done, let’s start the service and see it in action.
Seeing it all come together
If you have anyone testing your defences you should see fail2ban in action very fast. Just to a word count of the number of lines in auth.log with failed attempts like so:
less /var/log/auth.log | grep ‘sshd.*Failed’ | wc -l
The follow up with a listing of your iptables rules with iptables -L.
Very useful tool this fail2ban. There are many more configuration possible, for other services, for e-mail notifications, for different actions, etc.
This is just a very basic starting point.
Now go explore and stay safe.