I can be a very happy camper when I’m configuring something new and it ‘just works’ and does its job as expected and more. See the previous post on Fail2Ban.
Creating a new jail and making the most important service hacker proof is a matter if minutes. Of course finetuning it to my liking can take a few hours but that’s just me being picky.
After a week of testing around a more in depth look on this brute force protection.
To start off, there is this command I forgot to mention that has a lot of options available: fail2ban-client. Let’s take a quick look at the most used options.
General commands concerning the entire service:
# fail2ban-client start
# fail2ban-client stop
# fail2ban-client reload
# fail2ban-client status
A couple of jail specific commands (using sshd as an example):
# fail2ban-client start sshd
# fail2ban-client stop sshd
# fail2ban-client reload sshd
# fail2ban-client status sshd
Easy right? You can take a look at the above link for a lot more possibilities with this command.
Instant update: restarting the whole service, I would still use ‘systemctl’ instead of the ‘reload’ option. When testing with emails, I discovered that a reload didn’t do the job as expected.
The next logical thing is to add more services being watched and protected against brute force attempts. After some looking around, it seems that most of the config is in the jail.conf file already, but you have to copy it to the jail.local file (see the previous post) and enable it.
Examples of build-in and often used services:
Now I would like to add protection against nginx, postfix and vsftpd brute force attempts. The most common attacks will be picked up by Fail2Ban automatically. Just take a look at /etc/fail2ban/filter.d/nginx-http-auth.conf, /etc/fail2ban/filter.d/postfix.conf and /etc/fail2ban/filter.d/vsftpd.conf for the regexes.
When the build-in regexes won’t suffice, you can search for, create and add your own regex. You can even use a build in tool to experiment with it:
You can add these regexes to any file in the filter.d directory, in our case nginx-http-auth.conf, postfix.conf and vsftpd.conf. I’m no regex expert, so I can’t help you there. I would recommend Googling like I did with a Nginx regex and you will surely find it!
Anyway, this being said, we need to add our 3 services to the jail.local file to enable them. Simply add them at the bottom:
[nginx-http-auth] enabled = true port = http,https filter = nginx-http-auth logpath = /var/log/nginx/error.log [vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
Restart the service and you’re done!
# systemctl restart fail2ban