OSSEC active response vs Fail2Ban

fail2ban

Let’s have a proper look at Fail2Ban on Ubuntu 18.0.4.

Last week I was rather pleased with the replacement of CSF / LFD with UFW and OSSEC active response. It seems really rock solid. While configuring and testing, I discovered one big downside of OSSEC active response though: it only works for SSH and not against brute force attempts against different other mechanisms like MTAs and FTP.

There are a couple of alternatives and today I’m setting up fail2ban since it seems to exist like forever and is still being updated.

I should confess that I’ve first tried SSHGuard since it seemed more maintained and a more up-to-date site. After an hour or 2 – 3 I gave up. I was shocked by the lack of proper documentation and I couldn’t get it running reliably in conjunction with UFW. Take it for what its worth.

I’m not removing OSSEC since I’m still using it as a HIDS, but you should remove or comment out the active response sections from /var/ossec/etc/ossec.conf:

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>5712</rules_id>
    <timeout>3600</timeout>
    <repeated_offenders>360,720,1440</repeated_offenders>
  </active-response>
  <global>
    <white_list>144.10.65.112</white_list>
  </global>

Restart OSSEC and start installing and setting up fail2ban:

# systemctl restart ossec
# apt install fail2ban

Configuration resides in /etc/fail2ban. The main jail configuration file jail.conf can be worked with but it is highly recommended to create a new jail conf file, normally called jail.local.

Let’s get a simple SSH protection configuration going in this file:

[DEFAULT]
destemail = support@yourdomain.com
sender = root@server.yourdomain.com
mta = sendmail
actionban = ufw
actionunban = ufw
findtime = 300
maxretry = 10
bantime = 3600
action = %(action_mwl)s[sendername="Fail2Ban server.yourdomain.com"]
ignoreip = 134.110.92.78

[sshd]
enabled = true
port = ssh
filter = sshd

This config does a couple of things, most of it self explanatory.

Since we’re using UFW, we’re using ‘ufw’ at actionban and actionunban. Here ‘ufw’ refers to the ‘ufw.conf’ file in /etc/fail2ban/actions.d. Take a look at the file to see what it does.

The ‘findtime’ refers to the time within failed attempts can cause a block. In our case, when 10 failed attempts from one IP are detected within 300 seconds, the IP will be blocked for 3600 seconds.

The ignoreip can ignore your admin IP. Its debatable if you want to use it or not. When you can also reach your VPS via a console in case of an emergency, I wouldn’t use the ignoreip option.

The ‘action’ part takes care of an email, verbose with a bit from the log, alerting you of the ban. When mail is configured though, you’ll get alerted of every jail restart as well. Disable this by creating the /etc/fail2ban/action.d/sendmail-common.local with:

[Definition]
actionstart =
actionstop =

Putting all this information in the [DEFAULT] section instead of the [sshd] section, will apply this to all jails. So, you can also set the options per jail.

Clean up and restart:

# chown root:root /etc/fail2ban/action.d/sendmail-common.local
# chmod 644 /etc/fail2ban/action.d/sendmail-common.local
# systemctl restart fail2ban

This week I’ll fiddle and test some more, hopefully adding more services, and will report about my adventures next week!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.