Lot’s of systems on the internet are been hacked trough the use of easy guessable passwords or default credentials. In many cases the source ip address is been hacked the same way. Attackers are pivoting through compromised systems.
Fail2ban is an application that monitored your log files and based on pre defined thresholds fail2ban will block entirely or temporarily the source. The installation of fail2ban on Linux is pretty straight forward and mostly the default configuration will be efficient.
For the installation on ubuntu you only have to follow the following steps:
sudo apt-get install fail2banTo automatically start the fail2ban service on ubuntu
sudo systemctl enable fail2ban
sudo systemctl start fail2banDefault fail2ban uses /etc/fail2ban/jail.conf for his configuration and will be overwritten when there is a update. With the /etc/fail2ban/jail.local configuration file you can specify your own configuration and will not be changed after a package update. To change your configuration use vi to create a new jail.local file.
sudo vi /etc/fail2ban/jail.localBelow you see an example configuration file for jail.local. Make sure you only use the configuration for the services you have. So don’t mix for example the two mail server service ‘Postfix’ and ‘Exim’ in the same config.
You also have to set ignoreip = 1.2.3.4 to your testing/last resort ip address in case you locked your self.
[DEFAULT]
# Ban for X amount of time
# 3600 = 1 hour
# 604800 = 1 week
bantime = 604800
findtime = 3600
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 3
ignoreip = 1.2.3.4
[sshd]
enabled = true
port = 22
[exim]
enabled = true
filter = exim
logpath = /var/log/exim/mainlog
[postfix]
enabled = true
port = smtp, ssmtp
filter = postfix
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = /var/log/maillog
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/maillogWith the following command you will start fail2ban service
service fail2ban startIn case you need more insight of banned ip per service or you need to unban certain ip address. You can use fail2ban interactive command prompt.
fail2ban-client -i
status sshdYou will get the following output
Status for the jail: ssh
|- Filter
| |- Currently failed: 0
| |- Total failed: 6
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 203.113.167.162and with the below command you can unban a ip adres
set sshd unbanip 203.113.167.162
