Configuring fail2ban on Debian – Part 1

If you are administering a Linux server on a publicly accessible IP address then you have no-doubt already noticed your log files filling up with repeated failed login attempts against all common protocols. While it may be possible to protected services to some extent with firewalls, nothing is going to protect you from weak password policies and software vulnerabilities.

There is, however, a great Open Source product that can do away with some of the noise and frustrate the spammers; fail2ban.

Scenario

You are running a Debian server on a public IP address. Your SSH log shows lots of entries for failed passwords and invalid users emanating from IPs which don’t have any legitimate reason to try and connect.

Sep 20 18:27:50 mail sshd[8771]: Failed password for invalid user readonly from 5.xxx.xxx.xxx port 35630 ssh2
Sep 20 18:42:19 mail sshd[9389]: Failed password for invalid user 20 from 174.xxx.xxx.xxx port 49678 ssh2
Sep 20 18:43:15 mail sshd[9406]: Failed password for invalid user pi from 100.xxx.xxx.xxx port 25949 ssh2
Sep 20 18:44:53 mail sshd[9408]: Failed password for invalid user ms from 220.xxx.xxx.xxx port 47294 ssh2
Sep 20 18:46:56 mail sshd[9414]: Failed password for root from 174.xxx.xxx.xxx port 40484 ssh2

In this tutorial I shall show how to install and configure fail2ban in order to throttle these attempts.

Filters, Actions, & Jails

Fail2ban scans log files looking for suspicious activity. If such activity is detected then the source IP will be banned from between one and all ports. This is accomplished by a set of filters, actions, and jails.

Filters: A filter is a regex to be matched which will identify suspicious behaviour. A very comprehensive set of filters covering many popular packages are located in /etc/fail2ban/filter.d.

Actions: Actions are a set of rules for steps (actions) to take if a filter identifies suspicious behaviour. An action may use iptables to deny the offending ip to a port or range of ports, but in /etc/fail2ban/action.d there are a predefined set which include actions for UFW and Cloudflare.

Jails: This is where filters and actions come together, and is where the filters to be used are enabled, along with their corresponding action and duration of ban. Logically, these are defined in /etc/fail2ban/jail.d.

Installation & Confguration

Using the apt package manager

root@host:~# apt-get install fail2ban

By default, Debian has an sshd jail defines, but you may want to edit the definition at /etc/fail2ban/jail.d/defaults-debian.conf. Add parameters as follows

[sshd]
enabled = true
findtime = 3600 # No of seconds the filter must be triggered within
maxretry = 3 # No of times the filter must be triggered in findtime.
bantime = 3600 # No of seconds the ban is active for

Finally, restart the service

root@host:~# service fail2ban restart

By checking the log files, you should see fail2ban processing the ssh filter and banning IPs as required

2019-09-20 19:26:14,913 fail2ban.actions        [942]: NOTICE  [sshd] Ban 167.xxx.xxx.xxx
 2019-09-20 19:30:11,536 fail2ban.filter         [942]: INFO    [sshd] Found 23.xxx.xxx.xxx - 2019-09-20 19:30:11
 2019-09-20 19:30:11,556 fail2ban.filter         [942]: INFO    [sshd] Found 23.xxx.xxx.xxx - 2019-09-20 19:30:11
 2019-09-20 19:30:11,879 fail2ban.actions        [942]: NOTICE  [sshd] Ban 23.xxx.xxx.xxx
 2019-09-20 19:31:57,132 fail2ban.filter         [942]: INFO    [sshd] Found 52.xxx.xxx.xxx - 2019-09-20 19:31:57
 2019-09-20 19:31:57,154 fail2ban.filter         [942]: INFO    [sshd] Found 52.xxx.xxx.xxx - 2019-09-20 19:31:57

You can also use the client to inspect the jails running, and which IPs are in the jail.

root@host:~# fail2ban-client status
 Status
 |- Number of jail:    1
 `- Jail list:    sshd

root@host:~# fail2ban-client status sshd 
 Status for the jail: sshd
 |- Filter
 |  |- Currently failed:    5
 |  |- Total failed:    5856
 |  - File list:    /var/log/auth.log - Actions
    |- Currently banned:    6
    |- Total banned:    1407
    `- Banned IP list:    77.xxx.xxx.xxx 114.xxx.xxx.xxx 145.xxx.xxx.xxx 167.xxx.xxx.xxx 23.xxx.xxx.xxx 52.xxx.xxx.xxx

Next Steps

In part 2, we will look at configuring some filters and jails for applications which are not shipped by default.