Securing Webservers - Fail2Ban Ubuntu 20.10
Installation
fail2ban is a daemon to ban hosts that cause multiple authentication errors.
fail2ban will monitor the SystemD journal to look for failed authentication attempts for whichever jails have been enabled. After the number of failed attempts specified it will add a firewall rule to block that specific IP address for an amount of time configured.
Start by installing the package on your system - Debian, Ubuntu or on Centos through EPEL.
CentOS
yum update && yum install epel-release
yum install fail2ban
yum install sendmail
systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmail
Debian
apt-get update && apt-get upgrade -y
apt-get install fail2ban
apt-get install sendmail-bin sendmail
Ubuntu
apt-get update && apt-get upgrade -y
apt-get install fail2ban
apt-get install sendmail
Allow SSH access through UFW and then enable the firewall:
ufw allow ssh
ufw enable
Configure Fail2ban
The jail.conf file will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, create a jail.local for editing:
jail.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The next step is to configure a jail (a service you want to monitor and ban at whatever thresholds you’ve set). By default IPs are banned for 1 hour. The best practice is to override the system defaults using _.local files instead of directly modifying the _.config files:
# nano /etc/fail2ban/jail.local
[DEFAULT]
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true
# "bantime" is the number of seconds that a host is banned.
bantime = 1d
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 1h
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
After 5 attempts within the last hour the IP will be blocked for 1 day. A wide range of services those rules can be applied to can be found at the bottom of the file, e.g.:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = normal
port = ssh,ftps,12345
logpath = %(sshd_log)s
backend = %(sshd_backend)s
To ignore specific IPs, add them to the ignoreip line. By default, this command will not ban the localhost. If you work from a single IP address often, it may be beneficial to add it to the ignore list:
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignoreself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1
ignoreip = 127.0.0.1/8 192.168.2.112
If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command. Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.
fail2ban-client set JAIL addignoreip 123.45.67.89
Now activate the SSH Jail to apply your rules to the SSH service by creating another file called sshd.local - add everything in here that you want to add on top of the default settings in jail.local:
# nano /etc/fail2ban/sshd.local
[sshd]
enabled = true
If using CentOS or Fedora you will need to change the backend option in
jail.localfrom auto to systemd. This is not necessary on Debian or Ubuntu, even though both use systemd as well. (Still true??)
Email Alerts
To receive email when fail2ban is triggered, adjust the email settings:
- destemail: The email address where you would like to receive the emails.
- sendername: The name under which the email shows up.
- sender: The email address from which Fail2ban will send emails.
Note If unsure of what to put under sender, run the command sendmail -t user@email.com, replacing user@email.com with your email address. Check your email (including spam folders, if needed) and review the sender email. This address can be used for the above configuration.
You will also need to adjust the action setting, which defines what actions occur when the threshold for ban is met. The default, %(action_)s, only bans the user. %(action_mw)s will ban and send an email with a WhoIs report; while %(action_mwl)s will ban and send an email with the WhoIs report and all relevant lines in the log file. This can also be changed on a jail-specific basis.
Enable fail2ban
Next enable and start the fail2ban service.
systemctl enable --now fail2ban
systemctl status fail2ban
failban-client commands
fail2ban-client COMMAND
- start: Starts the Fail2ban server and jails.
- reload: Reloads Fail2ban’s configuration files.
- reload JAIL: Replaces JAIL with the name of a Fail2ban jail; this will reload the jail.
- stop: Terminates the server.
- status: Will show the status of the server, and enable jails.
- status JAIL: Will show the status of the jail, including any currently-banned IPs.
To check the status of fail2ban and make sure the jail is enabled enter:
fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 8
| |- Total failed: 4399
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 101
|- Total banned: 684
`- Banned IP list: ...
tail -f /var/log/fail2ban.log
Check IP address geo location and add country ban lists where necessary whois ip-addrss | grep -i country.
Unbanning an IP Address
In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs unbanning. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. The following command does the job.
fail2ban-client set sshd unbanip IPADDRESS