Fail2Ban log monitoring and blocking application

Lot’s of systems on the internet are been hacked trough the use of easy guessable passwords or default credentials. In many cases the source ip address is been hacked the same way. Attackers are pivoting through compromised systems.

Fail2ban is an application that monitored your log files and based on pre defined thresholds fail2ban will block entirely or temporarily the source. The installation of fail2ban on Linux is pretty straight forward and mostly the default configuration will be efficient.

For the installation on ubuntu you only have to follow the following steps:

sudo apt-get install fail2ban

To automatically start the fail2ban service on ubuntu

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Default fail2ban uses /etc/fail2ban/jail.conf for his configuration and will be overwritten when there is a update. With the /etc/fail2ban/jail.local configuration file you can specify your own configuration and will not be changed after a package update. To change your configuration use vi to create a new jail.local file.

sudo vi /etc/fail2ban/jail.local

Below you see an example configuration file for jail.local. Make sure you only use the configuration for the services you have. So don’t mix for example the two mail server service ‘Postfix’ and ‘Exim’ in the same config.

You also have to set ignoreip = 1.2.3.4 to your testing/last resort ip address in case you locked your self.

[DEFAULT]
# Ban for X amount of time 
# 3600 = 1 hour
# 604800 = 1 week
bantime = 604800
findtime = 3600
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s 
banaction = iptables-multiport 

maxretry = 3
ignoreip = 1.2.3.4

[sshd]
enabled = true
port = 22 


[exim]
enabled = true
filter = exim
logpath = /var/log/exim/mainlog


[postfix]
enabled = true
port = smtp, ssmtp
filter = postfix
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = /var/log/maillog

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/maillog

With the following command you will start fail2ban service

service fail2ban start

In case you need more insight of banned ip per service or you need to unban certain ip address. You can use fail2ban interactive command prompt.

fail2ban-client -i

status sshd

You will get the following output

Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   203.113.167.162

and with the below command you can unban a ip adres

set sshd unbanip 203.113.167.162
Share the Post:

Related Posts