Friday, October 26, 2007

fail2ban - Yet another tool to protect your server


What is Fail2ban?

Fail2ban scans log files like /var/log/auth.log or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2ban can read multiple log files such as sshd or Apache web server ones. You need python >= 2.3, gamin >= 0.0.21 (optional) and one of these : iptables, shorewall or tcpwrapper.

What does the version number of Fail2ban mean?

The structure of the version number is major.minor.revision. Currently the major number is 0. The policy for minor is:

  • odd numbers (0.5, 0.7, etc) are development versions.
  • even numbers (0.6, 0.8, etc) are stable versions.
Fail2ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Where can I get it?

fail2ban source can be downloaded from here. Distro-specific packages can be downloaded from http://www.fail2ban.org/wiki/index.php/Downloads. You might want to try using package manager first. It might be in your distros repositories. Chances are it is the older version. That's why I like to install from source :). For debianista, apt-get install fail2ban will take care of it.

Installation

As of this writing, the latest version is 0.8.1.
1. Extracting : tar xjvf fail2ban-0.8.1.tar.bz2
2. cd fail2ban-0.8.1
3. python setup.py install

This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are placed into /usr/bin.

Fail2Ban should be correctly installed now. Just type:

fail2ban-client -h

to see if everything is alright. You should always use fail2ban-client and never call fail2ban-server directly. UPDATE: to be able to activate and control fail2ban server, you need to copy init file specific for your distro in fail2ban-0.8.1/files directory. For Mandriva, you can use RedHat one. Copy file redhat-initd to /etc/init.d directory :

cp redhat-initd /etc/init.d/fail2ban

There are also init files for SuSe and Gentoo.

Configuration

1. Edit file /etc/fail2ban/fail2ban.conf using your favorite editor. I used joe for it. So:

cd /etc/fail2ban
joe fail2ban.conf

In this file, you may want to increase the loglevel to 4 for more verbose log for troubleshooting purposes.

2. Edit file /etc/fail2ban/jail.conf
joe jail.conf

In this file, uncomment sections that you want to activate and change enabled = false to enabled = true. Say, you want fail2ban to monitor port 22 (ssh) for login attempts :

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/auth.log
maxretry = 4

There are many sections in there for monitoring other ports like ftp, http, etc. It's up to you to monitor which ports. Just uncomment the sections you want and change enabled = true to activate in those sections. If you want to be notified, uncomment the commented line above and replace your email address for dest (and for sender too to reflect your system mails). I change the log path to /var/log/auth.log because this is the authentication log for my system. Change it accordingly for your system. All fail2ban actions are logged and can be reviewed by tail /var/log/fail2ban.log. Example of fail2ban.log on my system:

-- START --
2007-10-26 00:24:56,880 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 00:24:56,880 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 00:24:56,881 fail2ban.filter : DEBUG Setting file position to 783921 for /var/log/auth.log
2007-10-26 00:24:56,882 fail2ban.filter : DEBUG Found 200.32.73.4
2007-10-26 00:24:56,883 fail2ban.filter : DEBUG Found 200.32.73.4
2007-10-26 00:24:56,883 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 00:24:57,868 fail2ban.actions: WARNING [ssh-iptables] Ban 200.32.73.4
2007-10-26 00:24:57,868 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-26 00:24:57,886 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-26 00:24:57,886 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 200.32.73.4 -j DROP
2007-10-26 00:24:57,891 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 200.32.73.4 -j DROP returned successfully
2007-10-26 00:26:57,873 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 00:26:57,873 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 00:26:57,874 fail2ban.filter : DEBUG Setting file position to 784190 for /var/log/auth.log
2007-10-26 00:26:57,875 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 00:34:58,860 fail2ban.actions: WARNING [ssh-iptables] Unban 200.32.73.4
2007-10-26 00:34:58,860 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-26 00:34:58,867 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-26 00:34:58,867 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 200.32.73.4 -j DROP
2007-10-26 00:34:58,872 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 200.32.73.4 -j DROP returned successfully
2007-10-26 06:07:39,998 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 06:07:39,998 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 06:07:39,999 fail2ban.filter : DEBUG Setting file position to 784279 for /var/log/auth.log
2007-10-26 06:07:40,000 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 11:23:50,076 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 11:23:50,087 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 11:23:50,116 fail2ban.filter : DEBUG Setting file position to 784372 for /var/log/auth.log
2007-10-26 11:23:50,123 fail2ban.filter.datedetector: DEBUG Sorting the template list
-- End--

As you can see above, there's IP being banned by fail2ban by way of iptables and after a period of time, it will be unbanned. All these can be modified in /etc/fail2ban/jail.conf

To see whether the actions really happen, see iptables rules:

iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 85.185.250.20 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Please read the documentations in the tarball for latest updates and on how to configure it. With fail2ban, it is another weapon for system administrators to combat brute-force attacks. Enjoy :)

No comments: