Fail2Ban config on Ubuntu 18.04

fail2ban

I can be a very happy camper when I’m configuring something new and it ‘just works’ and does its job as expected and more. See the previous post on Fail2Ban.

Creating a new jail and making the most important service hacker proof is a matter if minutes. Of course finetuning it to my liking can take a few hours but that’s just me being picky.

After a week of testing around a more in depth look on this brute force protection.

To start off, there is this command I forgot to mention that has a lot of options available: fail2ban-client. Let’s take a quick look at the most used options.

General commands concerning the entire service:

# fail2ban-client start
# fail2ban-client stop
# fail2ban-client reload
# fail2ban-client status

A couple of jail specific commands (using sshd as an example):

# fail2ban-client start sshd
# fail2ban-client stop sshd
# fail2ban-client reload sshd
# fail2ban-client status sshd

Easy right? You can take a look at the above link for a lot more possibilities with this command.

Instant update: restarting the whole service, I would still use ‘systemctl’ instead of the ‘reload’ option. When testing with emails, I discovered that a reload didn’t do the job as expected.

The next logical thing is to add more services being watched and protected against brute force attempts. After some looking around, it seems that most of the config is in the jail.conf file already, but you have to copy it to the jail.local file (see the previous post) and enable it.

Examples of build-in and often used services:

  • apache
  • directadmin
  • dovecot
  • exim
  • nginx
  • phpmyadmin
  • postfix
  • proftpd
  • sendmail
  • squid
  • vsftpd

Now I would like to add protection against nginx, postfix and vsftpd brute force attempts. The most common attacks will be picked up by Fail2Ban automatically. Just take a look at /etc/fail2ban/filter.d/nginx-http-auth.conf, /etc/fail2ban/filter.d/postfix.conf and /etc/fail2ban/filter.d/vsftpd.conf for the regexes.

When the build-in regexes won’t suffice, you can search for, create and add your own regex. You can even use a build in tool to experiment with it:

# fail2ban-regex

You can add these regexes to any file in the filter.d directory, in our case nginx-http-auth.conf, postfix.conf and vsftpd.conf. I’m no regex expert, so I can’t help you there. I would recommend Googling like I did with a Nginx regex and you will surely find it!

Anyway, this being said, we need to add our 3 services to the jail.local file to enable them. Simply add them at the bottom:

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log

[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log

[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log

Restart the service and you’re done!

# systemctl restart fail2ban

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.