Avatar Avatar

Home

Menu: Blog
  • Blog
  • Tags
  • Search

    • Fail2Ban - BlueTeam

     Tags:  | blue | fail2ban | defense |
    Read this in "about 2 minutes".

    Overview of fail2ban

    The fail2ban application will monitor the abnormalities of intrusion attempts accross multiple services including HTTP, SSH, etc. If an IP address is marked as suspicious, fail2ban will block it for a specific duration.

    Primarily, fail2ban is an efficient security strategy to protect a server against password bruteforcing attack or dictionary attack. We’ll dive deeper some basic configurations of fail2ban in the next sections.


    Installing fail2ban

    Let’s us begin with the installation step.

    For Debian, execute the following command.

    $ sudo apt-get install fail2ban
Reading package lists... Done
Building dependency tree       
Reading state information... Done
...

    After a few seconds, our fail2ban should be ready for further configuring.


    Configuring fail2ban

    [1]. On the terminal, we execute

    $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    The jail.local is a custom fail2ban configuration. In other words, we can adjust the jail.local file to suite our purposes and avoid overwriting the default fail2ban configurations.

    [2]. Open the jail.local file, there are some useful configuration by default.

    ignoreip

    • ignoreip = 127.0.0.1/8 10.10.10.21

    → Specified IP addresses won’t be banned by fail2ban, separated with a space.

    bantime

    • bantime = 600

    → The default ban time is 600 secs (10 mins).

    maxretry

    • maxretry = 5

    → The number of failures before a host get banned.

    findtime

    • findtime = 600

    → Used with maxretry, if a host exceeds 5 failed login attempts within 600 seconds, it will be banned.

    It’s worth noticing that fail2ban monitors SSH login attempts by default.

    To reconfigure each service, we navigate to that specific service.

    For instance, to rule SSH, we navigate to the line 215 of the default jail2.local configuration file, it might looks like the following.

    ...
[sshd]

port    = ssh
logpath = %(sshd_log)s


[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port    = ssh
logpath = %(sshd_log)s
...

    [3]. Save the file and restart the application to adapt new rules.

    $ sudo service fail2ban restart

    [4]. To display the banned IP, we execute:

    $ sudo iptables -S
-A fail2ban-SSH -s 192.168.0.12/24 -j REJECT --reject-with icmp-port-unreachable

    Reference

    A2 Hosting:

        https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban
    Infomation Security © 2021-2024 • All right reserved.
    Simplicity is fashionable.
    Made with Jekyll using Typing Theme.