Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Server
Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.
apt-get install fail2ban
General Settings within Fail2Ban
To make modifications, we need to copy this file to /etc/fail2ban/jail.local. This will prevent our changes from being overwritten if a package update provides a new default file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the newly copied file
sudo nano /etc/fail2ban/jail.local
IP Whitelisting and ban time
These will be found under the [DEFAULT] section within the file. These items set the general policy and can each be overridden in specific jails.
Add any IPs to the ignoreip line that you wish Fail2ban to ignore
[DEFAULT] ignoreip = 127.0.0.1/8 126.96.36.199
you may want to adjust is the bantime, which controls how many seconds an offending member is banned for
[DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 3600 maxretry = 3
If you wish to receive email when Fail2ban is triggered, adjust the email settings:
you have your MTA set up, you will have to adjust some additional settings within the [DEFAULT]
destemail: The email address where you would like to receive the emails.
sendername: The name under which the email shows up.
sender: The email address from which Fail2ban will send emails
[DEFAULT] mta = mail destemail = [email protected] sendername = Fail2BanAlerts
You can use the action_mw action to ban the client and send an email notification to your configured account with a “whois” report on the offending address. You could also use the action_mwl action, which does the same thing, but also includes the offending log lines that triggered the ban
[DEFAULT] action = %(action_mwl)s
Configuring Fail2Ban to Monitor Apache Logs
These will be found under the [apache] section within the file. These items set the general policy and can each be overridden in specific jails.
To enable log monitoring for Apache login attempts, we will enable the [apache] jail. Edit the enabled directive within this section so that it reads “true”:
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 findtime = 600
[apache-noscript] jail is used to ban clients that are searching for scripts on the website to execute and exploit. If you do not use PHP or any other language in conjunction with your web server, you can enable this jail to ban those who request these types of resources:
[apache-noscript] enabled = true
The [apache-overflows] jail is used to block clients who are attempting to request unusually long and suspicious URLs. These are often signs of attempts to exploit Apache by trying to trigger a buffer overflow. You can enable this jail if you wish to prevent these types of attacks:
[apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2
Protect SSH with Fail2Ban
These will be found under the [SSH] section within the file. These items set the general policy and can each be overridden in specific jails.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Protect Mail with Fail2Ban
Our Mail smtp is Postfix, you can use anyone, like sendmail etc..
An often used attack vector is brute forcing MTA logins. While most admins watch ssh auth logs like a hawk, email auth/login logs are most often not closely watched for this sort of thing if at all.
Prevent a Postfix brute force attack!
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 5
Also do the same for the [sasl] section if you use sasl auth:
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log
Save then implement your changes, you’ll need to restart the fail2ban service. do that by typing:
sudo service fail2ban restart
Check Postfix status
sudo fail2ban-client status postfix
Check SSH status
sudo fail2ban-client status ssh
Check apache status
sudo fail2ban-client status apache