Server Security: Introduction to Fail2Ban

Any site, application, service, script or anything else that runs on the internet is susceptible to attacks by malicious parties – always. This is particularly true when a service requires authentication. There are many unauthorized users, both human and robot, that will do what they can to break into your system by any means necessary. Once the wrong person has decided to act maliciously, you have to be ready to protect yourself from anything and everything that they may be about to throw at you.

There are many ways these users can get to you. SSH, for instance, is commonly targeted by brute force attacks executed by bots that target common or easily-predictable account names. Fail2Ban was created to address these types of issues. The program works by altering firewall rules to block addresses that have attempted to log in unsuccessfully a set number of times. Written in the Python programming language, Fail2Ban was initially released in 2004. More than a decade later, it is still used by many Unix-like systems to prevent unwanted entry.

How Fail2Ban Works

Fail2Ban works by monitoring the logs of common services in order to spot failed authentication attempts. This is achieved by assigning filters that to the chosen services through regular expressions. These regular expression patterns are then assigned to a variable called failregex.

When Fail2Ban detects a line in a service’s log file that matches the value of failregex, a defined action is executed. These actions, obviously, are designed to implement the most appropriate measures to protect the service or system from the provided failregex value. These actions can be configured by the system’s administrator to create an air-tight custom security solution.

The default action is to ban the offending host or IP by modifying the iptables (Linux firewall) rules. Additionally, the action can be expanded to include some form of notification, like sending an email to the administrator that details the whois report of the alleged attacker or the log lines that triggered the action. Of course, the action variable may also be set up to execute some action other than modifying iptables. The process can be as simple or as intricate as the administrator chooses to make it.

With that said, the default action takes place after 3 failed authentication attempts within 10 minutes. The default ban time for the same error is also 10 minutes. For most administrators, these general measures are simply not enough to deliver peace of mind, so it’s important to learn how to use programs like Fail2Ban well enough to create a higher level of protection.

Reducing Dictionary Attacks

Another key function of Fail2Ban is to remove the ban imposed on blocked hosts within a specified amount of time. The “unban” feature is put in place because there is always the possibility that failed login attempts are actually coming from a legitimate source or possibly even caused by a misconfiguration within the system. The amount of time a host is blocked from attempting to communicate again should be set to a high enough to prevent a network connection from being flooded by malicious connections. This “unban time” is also helpful in limiting the chances of a successful dictionary attack.

A dictionary attack is a technique that is used to defeat a cipher or authentication mechanism by trying hundreds or even millions of likely possibilities – including the use of actual words printed in the dictionary. Basically, it revolves around trying on strings in a pre-arranged listing derived from words found in a. Variants of such words are still relatively easy to guess if all the administrator does is add a digit, punctuation mark or extra character. Fortunately, dictionary attacks are easily beaten by strong passwords.

Installing Fail2Ban from Source

The first step to installing Fail2Ban on your system is making sure that you’ve already installed Python (ver 2.4 or higher). Other programs, such as iptables, shorewall, tcp-wrappers, a working mail command and Gamin are also optional.

Next, simply download the latest Fail2Ban source code. Next, change the directory to the location of the downloaded source file and execute the following command:

tar xvjf fail2ban-x.x.x.tar.bz2

After you execute the above command, the source code will be extracted to a directory within the current working directory. You’ll need to change the directory to the location where the files were extracted. When you’re in the subdirectory, execute this installation script as root:

./setup.py install

Once this successfully executes, Fail2Ban should be installed under /usr/share/fail2ban and /usr/bin. You will also need to copy the contents of config/ to /etc/fail2ban/. At this point, you’ll be ready to run the application.

How to Install Fail2Ban on Debian

Fail2Ban is actually included in the default Debian repository. All you need to do to run it is to execute the following command:

apt-get install fail2ban

To customize your configuration, you can use the editor of your choice. Just make sure to create backups of the original config file in case something goes wrong or any surprises pop up! It’s also important to add your own IP as one that Fail2Ban should ignore, otherwise you run the risk of locking yourself out of your own system.

How to Install Fail2Ban on SUSE

Fail2Ban is available from the Packman repository. It has to be enabled first, so start by executing the following command:

yast2

This opens up the YaST interface. Here, you will go to Software → Community Repositories and select “Activate the Packman Repository”. All that’s left is to hit Finish. Exit YaST and use this command to install fail2ban:

yast2 -i fail2ban

Create system startup links for fail2ban and start it

chkconfig –add fail2ban
/etc/init.d/fail2ban start

How to Install Fail2Ban on Ubuntu

Installing Fail2Ban on Ubuntu is very similar to installing it on Debian. The Fail2Ban package is already in the default repository so all you need to do is issue this command:

apt-get install fail2ban

How to Install Fail2Ban on Arch

When installing Fail2Ban from the official repositories, all you need to do is execute the command:

pacman -S fail2ban

Of course, if the package is from the Arch User Repository (AUR), you have to download the PKGBUILD archive online (find it here), extract it, verify the content and then run this command in the same folder:

makepkg -si

How to Install Fail2Ban on Slackware

Installing Fail2Ban on Slackware has a few more steps than the other OS options mentioned so far:

First, download the Slackbuild tar file to a “build” location and then unarchive it. Go to the subirectory created by extracted the tar file and locate the fail2ban.Slackbuild file. Download the program’s source tar file into that directory.

Next, modify the SlackBuild script using chmod to make the script an executable file and execute the SlackBuild script as root.

Finally, after the package is built, install it using either the installpkg or upgradepkg –install- new commands. This command should also be executed as root. All that’s left is to follow the instructions in the README.SBo file.

How to Install Fail2Ban on Fedora

To install Fail2Ban on Fedora, execute the following command as the root user:

yum install fail2ban

Note: This applies to systems running Fedora 9 or higher.

How to Install Fail2Ban on CentOS

To install Fail2Ban on CentOs, execute the following:

su -c “http://download.fedora.redhat.com/pub/epel/5/i386/epel-r”
yum install fail2ban

What to Do After Installation

Remember, you’re free to modify the contents of the configuration files to design the ideal security measures to meet your needs. You choose how you want Fail2Ban to perform. For best results, evaluate your own systems for potential vulnerabilities and start by protecting those. And keep in mind, Fail2Ban may protect against SQL injections or other types of attacks, but there are still additional measures to be taken. When it comes to server security, there’s no such thing as a one-size-fits-all solution.