Operating and managing a remote server located in a data centre is often carried out by using a secure network connection provided by the SSH protocol. The necessary registration on the server is preceded by an authentication process. Usually this occurs in the form of the username and password. Alternative methods such as the public key authentication used by SSH, do have their advantages. But...
‘With great power comes great responsibility’; this applies to a great number of things in life, not least when it comes to your server's security. Security plays a key role in keeping unwanted third parties from accessing servers. Criminals have many motives for their attacks, and every successful breach presents a risk to the server operator.
So what is Fail2Ban?
Written in the programming language Python, the security framework Fail2ban is a server module that can be used on all Linux and POSIX systems with firewalls or packet filters. Tucked away in the server’s log files, Fail2ban detects suspicious IP addresses (e.g. ones with multiple failed log-in attempts). Once a certain number of failed attempts is reached, the suspicious address is automatically blocked for a predetermined period of time. Fail2Ban administrators can also receive notices of the IP addresses via e-mail.
By default, Fail2Ban comes with a range of filters for Apache, Postfix, or Courier; these recognise certain strings in log files. These filters trigger actions, which are commands that are executed at a predetermined point in time. The combination of a filter and an action, which can cause Fail2ban to block an IP address, is known as a jail. With Fail2ban, these jails can be programmed for any software that creates log files. Because Fail2ban is made up of an open source framework with a GPL2 license, both its use and its accompanying extensions remain entirely free of charge.
Fail2ban: installation and configuration
Before installation, ensure that Python (at least version 2.4) is installed on your system. It’s also worthwhile to download the firewall configuration tools itables, Shorewall, and TCP Wrappers before getting started. The following step-by-step guide lays out how to set up and use Fail2ban on Debian or Ubuntu:
- Start the installation process with the command:
sudo apt-get install fail2ban
- After installation is complete, locate the framework in the directory /etc/fail2ban. To be on the safe side, use the following command to copy the configuration file, jail.conf; this protects your own settings from updates:
sudo cp jail.conf jail.local
- Start Fail2ban with the following command:
sudo service fail2ban start
- In the configuration file, you can activate or deactivate pre-formulated rules, including jails, and customise their parameters. It’s also possible to add your own jail. The following jail parameters can be configured:
enabled: activated (true) or deactivated (false) the rule
filter: name of the filter from the file /etc/fail2ban/filter.d
port: specify port (e.g. SSH, HTTP, HTTPS)
logpath: path to log file to be read
maxretry: maximum number of failed attempts
findtime: time period allotted for problematic IPs to be searched for (in seconds)
bantime: time period for which a given IP can be blocked (-1: permanent)
- Once changes have been made to the parameters, now reload Fail2ban:
sudo service fail2ban reload
- Fail2ban then saves the evaluation results in a separate log file that can be accessed as follows:
tail -100f /var/log/fail2ban.log
- Finally, the security framework can be closed by entering:
sudo service fail2ban stop
Also effective against bots and scripts
Because Fail2ban can be used wherever log files can be read with filters, users have access to numerous applications for this prevention framework. A popular example of this is the WordPress plugin, Antispam Bee, which is able to identify comments on WordPress blogs as spam. The option “Mark as spam, do not delete” labels spam posts with the error code 403. IP addresses, post and error sequences then appear in the WordPress log file (access log). By using a jail that scans the log entries after the error code, spam can be intercepted at the server level.
Not only does Fail2ban protect WordPress from spam and other hacker attacks, it also protects against unauthorised log-ins. With the help of the extension, failed log-ins can be answered by printing the status code 403. This is enough to stop some bots and scripts and abruptly end their activities. With programmed Fail2ban rules, the extension also enables this tried and tested blocking procedure.
Fail2ban: a flexible and versatile security framework
In the battle against bots, scripts, and other hacker attacks, Fail2ban provides server operators with a flexible and effective form of protection. This framework lets users size up suspicious log files and subsequently ban the respective IP address on a temporary or permanent basis. Users can also determine which services Fail2ban inspects as well as the parameters that should be applied during the inspection. IP address can be barred from the search and blocked IPs can be unblocked.
Fail2ban is no substitute for tried-and-tested security precautions, like protective software, a good back up structure, and encryption protection. But if properly configured, it nicely complements other server security efforts. Let it be clear though that individual components can only provide comprehensive protection against attacks when used as port of a broader security scheme.