Fail2ban scan the log files of the server and bans IPs that show the malicious signs. Like for exemple too many password failures, seeking for exploits, etc.. It work as a service and create rules that automatically alter iptables configuration. All based on a predefined number of unsuccessful login attempts. This will allow the server to respond to illegitimate access attempts without manual intervention.
Install
Fail2ban is in package list of Ubuntu. To install it from a command prompt do like this (update first).
xxxx@xxxx:~$ sudo apt-get update xxxx@xxxx:~$ sudo apt-get install fail2ban
Configure
Configuration files are in the /etc/fail2ban directory.
First stop the service
xxxx@xxxx:~$ sudo service fail2ban stop
Duplicate the config file jail.conf to keep default options inside (this file can be overwriten when update applied). Put all the specific settings in jail.local
xx:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we can modify the jail.local file to adjust to our server case
The base
Setup the base consist to add one or more source @ip to ignore, the bann time and the number of retry allowed. To do this we need to modify the variables:
- ignoreip = @ip to ignore (separated by a space).
- bantime (in second) = parameter for banned client (default 10 minutes).
- findtime (in second) = a window of time to find a specific number of tries (see below).
- maxretry = number of tries before being banned. By default ban a client after 5 tries in 10 minutes (findtime variable).
In our case we add the @ip 192.168.0.15 to the list to ignore, change the bantime to 1800 sec (1/2 hour). To do this we edit the /etc/fail2ban/jail.local file like this
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 192.168.0.15 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 1800 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Email alerts
Configure email alerts with the variable destemail, sendername, and mta. To use it you need the Ubuntu package sendmail!
# # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = sysadmin@imtase.com # Sender email address used solely for some actions sender = sysadmin@imtase.com # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail
we need to adjust the action parameter too.
# Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mwl)s
SSH
To activate a service juste need a line enabled = true in the appropriate section. Exemple with [ssh]
# # SSH servers # [sshd] enable = true port = ssh logpath = %(sshd_log)s
We can no restart fail2ban
xxxx@xxxx:~$ sudo service fail2ban start
If you go want deeper in fail2ban I suggest this excellent post from Linode
Fail2ban Client
use the command fail2ban-client with one of these command to action/check information:
- start: Starts the server and jails.
- reload: Reloads configuration files.
- reload JAIL: Replaces JAIL with the name of a Fail2ban jail; this will reload the jail.
- stop: Stop the server.
- status: Show the status of the server, and enable jails.
- status JAIL: Show the status of the jail, including any currently-banned IPs.
Replace JAIL by the service you want to check, exemple with ssh
xxxx@xxxx:~$ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
xxxx@xxxx:~$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
NMAP
Install and use the port scanning NMAP
xxxx@xxxx:~$ sudo apt-get install nmap
To scan the port of the server you can use the command
xxxx@xxxx:~$ nmap -sV -p 1-65535 localhost
-sV = service identification
-p = list of port to scan (range separate by -)
Can pass hostnames, IP addresses, networks, etc. (localhost, www.my.com, range like 192.168.1.1/24 or 192.168.1.1-50, host like 192.168.1.1/32)
You have now made your Ubuntu Server more secure, in part 3 we will see the usage of DPI (Deep Packet Inspection)