Home | Linuxmon.comhttps://linuxmon.com/2024-03-19T06:06:11+00:00HomeProtect your web site with Fail2Ban!2017-05-23T12:07:46+00:002024-03-19T06:06:11+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/protect-site-fail2ban-ubuntu/<p><span><img alt="" height="124" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/fail2ban.jpg/fail2ban-124x124.jpg" width="124"/></span></p>
<p><span>from <a href="https://en.wikipedia.org/wiki/Fail2ban">WiKi</a>:</span></p>
<p><span>Fail2Ban operates by monitoring </span><a class="mw-redirect" href="https://en.wikipedia.org/wiki/Computer_data_logging" title="Computer data logging">log files</a><span> (e.g. </span><tt>/var/log/auth.log</tt><span>, </span><tt>/var/log/apache/access.log</tt><span>, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected </span><a href="https://en.wikipedia.org/wiki/IP_address" title="IP address">IP addresses</a><span> that may belong to </span><a href="https://en.wikipedia.org/wiki/Host_(network)" title="Host (network)">hosts</a><span> that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Fail2Ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being </span><a href="https://en.wikipedia.org/wiki/Denial-of-service_attack" title="Denial-of-service attack">flooded</a><span> by malicious connections, as well as reducing the likelihood of a successful </span><a href="https://en.wikipedia.org/wiki/Dictionary_attack" title="Dictionary attack">dictionary attack</a><span>.</span></p>
<p></p>
<h2>Install and Configure fail2ban on Ubuntu server</h2>
<p>Warning! all actions required root privileges!</p>
<p></p>
<div class="video-container"><iframe allowfullscreen="allowfullscreen" height="315" src="https://www.youtube.com/embed/haq_bHROWBE" width="560"></iframe></div>
<div></div>
<p>Update system:</p>
<pre>$sudo apt-get update<br/>$Install fail2ban<br/>$sudo apt-get install fail2ban</pre>
<p>go to /etc/fail2ban</p>
<pre>$cd /etc/fail2ban/</pre>
<p>need copy jail.conf to jail.local</p>
<pre>$sudo cp jail.conf jail.local</pre>
<p>it will be main config file for fail2ban</p>
<p>For first time fail2ban is ready to protect your server by default:</p>
<p>on port tcp 22 (ssh) </p>
<p>in file /etc/fail2ban/jail.local:</p>
<pre>[ssh]<br/>enabled = true<br/>port = ssh<br/>filter = sshd<br/>logpath = /var/log/auth.log<br/>maxretry = 6</pre>
<p>it means</p>
<p>listening log file /var/log/auth.log and fail2ban will look for errors attempts like this:</p>
<pre>May 14 20:43:12 exim auth worker: PASSV: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@lnxmon.com rhost=45.58.99.<hidden></pre>
<p>and after 6 attempts will be blocked by iptables</p>
<pre>filter = sshd</pre>
<p>it means:</p>
<p>used filter sshd</p>
<p>go to /etc/fail2ban/filter.d/</p>
<p>file sshd.conf is a filter</p>
<pre>find block reg exp in file:</pre>
<pre>failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$<br/> ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$<br/> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$<br/> ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$<br/> ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$<br/> ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$<br/> ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$<br/> ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$<br/> ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$<br/> ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$<br/> ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$</pre>
<p>these are all reg exp wich willl be catch in log file /var/log/auth.log</p>
<p>You can add yourself filtters and reg exp</p>
<p>For wordpress site you can create filter:</p>
<p>$sudo touch /etc/fail2ban/filter.d/wp-auth.conf</p>
<p>and copy and paster to it:</p>
<pre># WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:<br/>#<br/># Block IPs trying to auth wp wordpress<br/>#<br/># Matches e.g.<br/># pay attention in this raw:<br/># 12.34.33.22 - [07/Jun/2014:11:15:29] "POST /wp/wp-login.php HTTP/1.0" 200 4523<br/># 12.34.33.22 - [07/Jun/2014:11:15:29] "GET /wp-content HTTP/1.0" 200 4523</pre>
<pre><br/># fail2ban will scan log file and will be find like this and block ip address<br/><br/>[Definition]<br/><strong>failregex = ^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)</strong><br/><br/>ignoreregex =</pre>
<p>fail2ban looking for regexp in log file:</p>
<pre>^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)</pre>
<p>and create jail for it:</p>
<p>go to file /etc/fail2ban/jail.local and put it to the bottom of file:</p>
<pre>[wp-auth]<br/>enabled = true<br/>filter = wp-auth<br/>action = iptables-multiport[name=NoAuthFailures, port="http,https"]<br/>logpath = /var/www/mezzanine/logs/ssl_access.log # pls change to your log file<br/>bantime = 86400<br/>maxretry = 3</pre>
<p>after 3 attempts fail2ban will block ip address for 86400 secconds (24hs)</p>
<p>If you would like to enter in admin panel only from your IP address, add in section [DEFAULT] in file /etc/fail2ban/jail.local</p>
<pre>[DEFAULT]<br/>ignoreip = 127.0.0.1/8 <your ip_address> </pre>
<p># with no symbols '<>' </p>
<p>and save it</p>
<p>fail2ban will be ignore your ip ddresses </p>
<p>If you use your own filters you can check it by command:</p>
<pre>$fail2ban-regex ssl_access.log /etc/fail2ban/filter.d/wp-auth.conf<br/>Running tests<br/>=============<br/>Use failregex file : /etc/fail2ban/filter.d/wp-auth.conf<br/>Use log file : ssl_access.log<br/>Results<br/>=======<br/>Failregex: 5540 total<br/>|- #) [# of hits] regular expression<br/>| 1) [4686] ^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)<br/>| 2) [854] ^<HOST> .* "GET \/(wp-content)<br/>`-<br/><br/>Ignoreregex: 0 total<br/><br/>Date template hits:<br/>|- [# of hits] date format<br/>| [19758] Day/MONTH/Year:Hour:Minute:Second<br/>`-<br/><br/>Lines: 19758 lines, 0 ignored, 5540 matched, 14218 missed<br/>Missed line(s):: too many to print. Use --print-all-missed to print all 14218 lines<br/><br/><br/></pre>
<p>all filters work fine.</p>
<p>After that you should restart fail2ban</p>
<pre>$sudo service fail2ban restart</pre>
<p>All detailed info you can see at </p>
<p>/var/log/fail2ban.log</p>
<p>Who banned or unbanned:</p>
<pre>.....<br/>2017-05-21 06:48:30,205 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11<br/>2017-05-22 01:42:51,534 fail2ban.actions: WARNING [wp-auth] Ban 60.241.112.205<br/><strong>2017-05-22 01:42:53,597 fail2ban.actions: INFO [wp-auth] 60.241.112.<hidden>. already banned</strong><br/><strong>2017-05-22 01:42:56,601 fail2ban.actions: INFO [wp-auth] 60.241.112.<hidden>. already banned</strong><br/><strong>2017-05-23 01:42:52,254 fail2ban.actions: WARNING [wp-auth] Unban 60.241.112.205</strong><br/>2017-05-23 09:37:02,946 fail2ban.actions: WARNING [wp-auth] Ban 185.119.81.24<br/>2017-05-23 10:07:06,785 fail2ban.server : INFO Stopping all jails<br/>2017-05-23 10:07:07,541 fail2ban.actions: WARNING [wp-auth] Unban 185.119.81.24<br/>.....</pre>
<p>also you can see status iptables:</p>
<pre>$sudo iptables -S<br/>-P INPUT ACCEPT<br/>-P FORWARD ACCEPT<br/>-P OUTPUT ACCEPT<br/>-N fail2ban-NoAuthFailures<br/>-N fail2ban-ssh<br/>-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-NoAuthFailures<br/>-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh<br/>-A FORWARD -i tun0 -j ACCEPT<br/>-A FORWARD -o tun0 -j ACCEPT<br/>-A FORWARD -o eth0 -j ACCEPT<br/>-A FORWARD -i eth0 -j ACCEPT<br/>-A fail2ban-NoAuthFailures -j RETURN<br/>-A fail2ban-ssh -j RETURN</pre>
<p>nobody banned yet )</p>
<p>Links:</p>
<p><a href="https://www.fail2ban.org/wiki/index.php/Main_Page">https://www.fail2ban.org/wiki/index.php/Main_Page</a></p>
<p></p>
<p></p>