Loading ...
Using fail2ban to Block Brute Force Attacks
From the category of log based tools I have chosen to present fail2ban because I consider it to be the best available log based brute force blocker. Basically, as any other log based brute force blockers, fail2ban will monitor the system log files and when certain configured events occur they will trigger fail2ban to block the offending host.
Here are the main features of fail2ban:
- running as daemon (no delay to take actions as in cron based tools).
- can use various methods to block the attack:
- iptables (this is the default, and will most certainly be the best choice for most users)
- TCP Wrappers (/etc/hosts.deny): this might be particular useful if you are running a VPS that has no access to iptables rules.
- any other method you might need to implement in your firewall setup (you will have to define the rules yourself in this case).
- can handle more than one service: sshd (default), apache, vsftpd/proftpd, etc.
- can send e-mail notifications.
- can ban IPs for a limited amount of time and since 0.6.1 can also permanently ban hosts.
The installation is not at all complicated as the author provides packages for major linux distributions. I will show how we can install fail2ban on Debian. By the way the Debian package is different than the source package you can find at the project page. This is because the author is closely collaborating with Debian maintainers to conform its software to the Debian rules and have it in the official Debian sources. This is very nice!
If we want to install fail2ban on a Debian system all we have to do is:
apt-get install fail2banthis will take care of the dependencies you might not have on the system (python, iptables, lsb-base).
Once installed, it will be started automatically. The configuration file is located in /etc/fail2ban.conf. It will enable by default the protection against SSH brute force attacks. The configuration file contains each available parameter excellently commented and that should be the only documentation you will need for fail2ban.
Compared with other software, I found the need to change very few parameters from the default. Here are some of the important parameters from the main section:
[DEFAULT]
maxfailures = number of failures before IP gets banned. Defaults to 5. I like to lower this to 3:
maxfailures = 3
bantime = number of seconds an IP will be banned. If set to a negative value, IP will never be unbanned (permanent banning). Defaults to 600 (10 min).
bantime = -1
ignoreip = space separated list of IP’s to be ignored by fail2ban. No default. I like to add my own static management ips here just in case…
ignoreip = 192.168.0.1
All fail2ban actions are logged and can be reviewed. The log file is defined using:
logtargets = /var/log/fail2ban.logThe SSH section works perfectly out of the box being aware of Debian log files names, etc:
[SSH]Here we can see the log file fail2ban will monitor for SSH attacks (/var/log/auth.log), the port that will be used to block the hosts (they will still be able to communicate with other protocols with our host even after ssh blocking) and also the regular expressions that will trigger fail2ban.
enabled = true
logfile = /var/log/auth.log
port = ssh
timeregex = S{3}s{1,2}d{1,2} d{2}:d{2}:d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : (?:(?:Authentication failure|Failed [-/w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?PS*)
Besides the SSH section that is enabled by default the configuration file contains other usable sections for other programs (you just have to enable them as they default to disabled): SASL, Apache, ApacheAttacks, VSFTPD, PROFTPD. This can also be the starting point for writing your own rules targeted for any program you might need.
Here are the iptables definitions that will actually block the offending hosts:
fwchain = INPUTfwstart will create when starting the program for each of the defined active sections a different iptables chain. This will be called fail2ban-(name_of_section), for ex: fail2ban-SSH, fail2ban-VSFTPD, etc.
fwstart = iptables -N fail2ban-%(__name__)s
iptables -A fail2ban-%(__name__)s -j RETURN
iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
iptables -F fail2ban-%(__name__)s
iptables -X fail2ban-%(__name__)s
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s
fwban = iptables -I fail2ban-%(__name__)s 1 -s -j DROP
fwunban = iptables -D fail2ban-%(__name__)s -s -j DROP
iptables -L -n
Chain INPUT (policy ACCEPT)
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain fail2ban-SSH (1 references)
RETURN all -- 0.0.0.0/0 0.0.0.0/0On program exit these chains are deleted. There is no persistence in fail2ban. If for any reason the program is restarted it will rescan the log files for failed attempts (only events newer then findtime - def 600) and it will add them to the active list. This is not at all a big limitation and I would not care about this… but just that you are aware that if you restart the program you will start fresh.
The action that is taken when a host is banned will just add a new iptables rule in the program chain that will drop the traffic for the attacker.
Let me exemplify this: we are being attacked by a host with the IP 192.168.0.200 (just a private ip for the sake of the example)
In system logs we see the following (/var/log/auth.log):
sshd[6787]: Did not receive identification string from 192.168.0.200At this time fail2ban has seen enough authentication errors (with maxfailures = 3) and in fail2ban log file we will see:
sshd[13299]: Invalid user lpd from 192.168.0.200
sshd[13299]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.200
sshd[13299]: Failed password for invalid user lpd from 192.168.0.200 port 41458 ssh2
sshd[13324]: Invalid user lpa from 192.168.0.200
sshd[13324]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.200
sshd[13324]: Failed password for invalid user lpa from 192.168.0.200 port 41689 ssh2
/var/log/fail2ban.logWe have started with empty iptables rules that look like:
2006-07-01 16:06:39,261 INFO: SSH: 192.168.0.200 has 3 login failure(s). Banned.
2006-07-01 16:06:39,287 WARNING: SSH: Ban (permanent) 192.168.0.200
iptables -L -nMeaning that all the SSH traffic will just pass thru the fail2ban-SSH chain without any change.
Chain INPUT (policy ACCEPT)
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain fail2ban-SSH (1 references)
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Once fail2ban has blocked our attacker 192.168.0.200 it will add a new iptables rule that will drop SSH traffic from this host. After this the rules will look like:
iptables -L -nUsing iptables to block the offending hosts is probably the best way to do this (and can be easily integrated in any existing iptables firewall), but as I said there are other methods available that might be useful in some cases (hosts.deny might be the only choice for VPS owners that don’t have access to iptables). You can look into the examples that come with fail2ban for how to easily implement this.
Chain INPUT (policy ACCEPT)
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain fail2ban-SSH (1 references)
DROP all — 192.168.0.200 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0
References:
http://www.fail2ban.org/wiki/index.php/Manual
Return to the main page: “How to Block Brute Force Attacksâ€
Share This
5th July 2006, 07:14
[...] Using iptables to Block Brute Force Attacks Using PAM to Block Brute Force Attacks Using fail2ban to Block Brute Force Attacks [...]
10th August 2006, 13:59
Give me idea about , how can i get private ip or the client computer,s name using javascript or php
28th September 2006, 15:19
How can I run fwunban command line to unban an IP address without waiting the specified amount of ban time?
28th September 2006, 17:12
Dan,
I am not aware of such a functionality buildin fail2ban. An idea would be to run the unban command manually. For exaple if you are using iptables and ssh this might look like this:
iptables -D fail2ban-SSH -s <ip> -j DROPand this will remove the <ip> from the iptables rules. Similar for other applications besides ssh, or other methods of blocking the ip.
1st October 2006, 11:34
Hi,
how can I modify failregex in fail2ban.conf with matching regex “failed” or “Illegal”?
Jan
1st October 2006, 16:25
Here is the default failregex from debian that will do what you need….
failregex = : (?:(?:Authentication failure|Failed [-/w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?PS*)
1st October 2006, 20:47
no, not for:
- reverse mapping checking getaddrinfo for xyz - POSSIBLE BREAKIN ATTEMPT!
- Illegal user andrew from xyz
3rd October 2006, 15:54
Sorry Jan, but I don’t understand what you mean. The above rule has worked fine for me catching all attempts. Depending from your setup this might need changing (like what ssh version you are using, if you have public key enabled, etc. cases where the logging will look a little different). Maybe you can post a log entry so I can better understand what you mean.
7th October 2006, 07:46
Sorry, my fail2ban doesen’t work anymore. I don’t knwo why. Jan
7th October 2006, 08:01
If this helps, the only time I have seen fail2ban no longer working properly (assuming the rules are ok, etc.) was after changing the timezone on the system. If this is the case, then you have to restart your syslog daemon. It is not probable that you have the same issue, but anyway, maybe it helps.
8th October 2006, 14:21
Hi, there was something wrong with fail2ban and iptables. Fail2ban didn’t set >>iptables -I fail2ban-SSH 1 -s ‘a.b.c.d’ -j DROP>iptables -F
8th October 2006, 16:55
iptables -F solved the Prob.
Jan
10th October 2006, 17:49
when i se apt-get to install the package i get the following. Please help
joely:~# apt-get install fail2ban
Reading Package Lists… Done
Building Dependency Tree… Done
E: Couldn’t find package fail2ban
10th October 2006, 18:15
Joel,
What Debian release are you using? You are probably using the stable release and fail2ban is available only on testing/sid:
http://packages.debian.org/changelogs/pool/main/f/fail2ban/fail2ban_0.6.1-11/changelog
if this is the case you can get the fail2ban package for sarge from backports.org… just add this line to your sources.list
deb http://www.backports.org/debian sarge-backports main contrib10th October 2006, 21:08
Hi,
deb http://www.backports.org/debian sarge-backports main contrib
works fine. Thanks.
But fail2ban doesn’t ban:
>> User root from 171.123.232.72.reverse.layeredtech.com not allowed because not listed in AllowUsers
14th December 2006, 19:26
really cool tool!
People (we!) should start a Rules Wiki!
5th February 2007, 00:56
I cant configure vsftpd to fail2ban. .
17th March 2007, 13:02
[...] There’s also a nice writeup here which goes into some depth about the various options available. Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
18th March 2007, 10:19
[...] There’s also a nice writeup here which goes into some depth about the various options available. [...]
21st March 2007, 16:02
how to avoid user to root attack
3rd April 2007, 20:28
Hi,
The documentation for fail2ban is very sketchy to say the least.
What I would like to know is, if it is possible (and how) to permanently block IP’s that try to access certain illegal (or non-existing) url’s? for instance spambots that try to access something like: /comment.php and such?
It seems that since fail2ban just scans log’s this should be easy?
10th April 2007, 17:39
hello,
I am running FC4 and would like to try this, where can i download it from. i tried apt-get and that did not work. i use yum. thanks for all your time.
Dennis
10th April 2007, 18:00
excuse my noob question, i got it.
20th April 2007, 15:53
Hi, I’m runnin Centos 4, and I did everything above, but fail2ban doesn’t seem to work… it runs ok, iptables is running ok, the auth.log is ok… but nothing gets block…
Apr 20 15:00:36 ithkul vsftpd(pam_unix)[9694]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.63.172.178
Apr 20 15:00:39 ithkul vsftpd(pam_unix)[9694]: check pass; user unknown
and I tried to login severall times and I should be blocked after the 3rd time… any ideas?? how can I debug fail2ban? the fail2ban.log gives no problems either, the only logs in there are:
2007-04-20 16:32:19,346 WARNING: Restoring firewall rules…
HELP….
Thank you
22nd April 2007, 16:12
Paolo,
You can enable verbose and debugging in fail2ban config file to try to understand what is happening:
verbose = 1
debug = true
23rd April 2007, 17:12
nothing show up on log….
I have a server running Centos 4.0, Python 2.3.4, fail2ban 0.6.2
auth.log
Apr 20 15:00:36 ithkul vsftpd(pam_unix)[9694]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.63.172.178
Apr 20 15:00:39 ithkul vsftpd(pam_unix)[9694]: check pass; user unknown
fail2ban.log (only logs this)
2007-04-20 17:09:28,040 WARNING: Restoring firewall rules…
fail2ban.conf
[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = true
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/auth.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ftp
# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in “timeregex” fields definition. Note that ‘%’ must be
# escaped with ‘%’ (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P\S+)
HELP, what is wrong? what can I do?
15th June 2007, 23:01
How do you run this as a service?
29th July 2007, 10:21
Great article. fail2ban is very nice indeed, denyhosts is cool as well, because it maintains a central blacklist. Each method has it’s advantages in different situations. here’s another method that has the advantage that there is no log parsing involved which makes the banning instant.
It’s also faster because it all works on kernel level:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
12th June 2008, 15:27
[...] http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/ [...]
13th September 2008, 04:18
[...] Read the rest of this entry » [...]