Skip to content

Fail2Ban

Fail2Ban scans log files and bans IPs that show the malicious signs e.g. too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured.

https://www.fail2ban.org/

Installing

  • Add the EPEL release yum install epel-release
  • Install the Fail2Ban package yum install fail2ban
  • enable the service systemctl enable fail2ban

This will create a bunch of pre-configured "jails" in /etc/fail2ban/. You will then need to create your own configuration file in /etc/fail2ban/jail.local and paste the following in:

[DEFAULT]
# Ban hosts for one hour
bantime = 3600

# ignoreip can be an IP address, a CIDR mask or a DNS host.
# Fail2Ban will not ban a host which matches an address in this list.
# Several addresses can be defined using space (and/or comma) separator.
# Best to add office VPN IP and any client IP's here too.
ignoreip = 127.0.0.1/8

# Override /etc/fail2ban/jail.d/00-firewalld.conf
banaction = iptables-multiport

[sshd]
enabled = true

[sshd-ddos]
enabled = true

[mysqld-auth]
enabled = true;

# Nginx specific - omit on Apache
# Detects password authentication failures.
[nginx-http-auth]
enabled = true

# Nginx specific - omit on Apache
[nginx-botsearch]
enabled = true

# Apache specific - omit on nginx
# Detects password authentication failures.
[apache-auth]
enabled = true

# Apache specific - omit on nginx
# detects sppamer bots crawling email addresses.
[apache-badbots]
enabled = true

# Apache specific - omit on nginx
# detect potential search for exploits
[apache-noscript]
enabled = true

# Apache specific - omit on nginx
# detects apache overflow attempts
[apache-overflows]
enabled = true

After adding the above, restart the service with systemctl restart fail2ban and check the jails are running with fail2ban-client status. This will list all running jails.

Useful commands

To check the status of any running jails use fail2ban-client status [NAME OF JAIL] e.g. fail2ban-client status sshd

to view a log of the recent actions, look in /var/log/fail2ban.log

Extra custom jails

If you get lots of repeated requests to a URL such as the admin or any form of obvious brute force attempts, the configuration below will block repeated POST requests to a given URL, in this case /admin.

Any new jails always go in a file within /etc/fail2ban/filter.d Add the following to /etc/fail2ban/filter.d/apache-post.conf

[Definition]
# Match these lines to find a login fail
failregex = ^<HOST> .*\"POST \/admin[^\"]+\"
# don't ignore anything
ignoreregex =

Then add the below to /etc/fail2ban\jail.local.

[apache-post]
enabled = true
# Block these ports
port = http,https
# Uses the filter from /etc/fail2ban/filter.d/apache-postflood.conf
filter = apache-post
logpath = /var/log/httpd/access.log
findtime = 600
maxretry = 5

Common Issues

If the service will not start, then try running /usr/bin/fail2ban-client -v -v start to see what the exact error is.

The most common issue for the service not to start is if log files are missing and/or can't be written to. This is usually only an issues if they're not in the default directory. If this is the case you will need to override the logpath parameter for each of the affected jails, in your jail.local file.

Try to stick to a standard format for these log files across servers so that they're easy to find e.g. /var/log/(apache|nginx|httpd)/fail2ban/[JAILNAME] you will need to manually create the directories and files as well.

Example 

[nginx-http-auth]
enabled = true
logpath = /var/log/nginx/fail2ban/nginx-http-auth.log