Let’s have a proper look at Fail2Ban on Ubuntu 18.0.4.
Last week I was rather pleased with the replacement of CSF / LFD with UFW and OSSEC active response. It seems really rock solid. While configuring and testing, I discovered one big downside of OSSEC active response though: it only works for SSH and not against brute force attempts against different other mechanisms like MTAs and FTP.
There are a couple of alternatives and today I’m setting up fail2ban since it seems to exist like forever and is still being updated.
I should confess that I’ve first tried SSHGuard since it seemed more maintained and a more up-to-date site. After an hour or 2 – 3 I gave up. I was shocked by the lack of proper documentation and I couldn’t get it running reliably in conjunction with UFW. Take it for what its worth.
I’m not removing OSSEC since I’m still using it as a HIDS, but you should remove or comment out the active response sections from /var/ossec/etc/ossec.conf:
<command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command>
<active-response> <command>firewall-drop</command> <location>local</location> <rules_id>5712</rules_id> <timeout>3600</timeout> <repeated_offenders>360,720,1440</repeated_offenders> </active-response>
<global> <white_list>126.96.36.199</white_list> </global>
Restart OSSEC and start installing and setting up fail2ban:
# systemctl restart ossec
# apt install fail2ban
Configuration resides in /etc/fail2ban. The main jail configuration file jail.conf can be worked with but it is highly recommended to create a new jail conf file, normally called jail.local.
Let’s get a simple SSH protection configuration going in this file:
[DEFAULT] destemail = email@example.com sender = firstname.lastname@example.org mta = sendmail actionban = ufw actionunban = ufw findtime = 300 maxretry = 10 bantime = 3600 action = %(action_mwl)s[sendername="Fail2Ban server.yourdomain.com"] ignoreip = 188.8.131.52 [sshd] enabled = true port = ssh filter = sshd
This config does a couple of things, most of it self explanatory.
Since we’re using UFW, we’re using ‘ufw’ at actionban and actionunban. Here ‘ufw’ refers to the ‘ufw.conf’ file in /etc/fail2ban/actions.d. Take a look at the file to see what it does.
The ‘findtime’ refers to the time within failed attempts can cause a block. In our case, when 10 failed attempts from one IP are detected within 300 seconds, the IP will be blocked for 3600 seconds.
The ignoreip can ignore your admin IP. Its debatable if you want to use it or not. When you can also reach your VPS via a console in case of an emergency, I wouldn’t use the ignoreip option.
The ‘action’ part takes care of an email, verbose with a bit from the log, alerting you of the ban. When mail is configured though, you’ll get alerted of every jail restart as well. Disable this by creating the /etc/fail2ban/action.d/sendmail-common.local with:
Putting all this information in the [DEFAULT] section instead of the [sshd] section, will apply this to all jails. So, you can also set the options per jail.
Clean up and restart:
# chown root:root /etc/fail2ban/action.d/sendmail-common.local
# chmod 644 /etc/fail2ban/action.d/sendmail-common.local
# systemctl restart fail2ban
This week I’ll fiddle and test some more, hopefully adding more services, and will report about my adventures next week!