Protect yourself against BruteForce attacks with Fail2Ban!

Requirements:

Fail2Ban is a very handy utility that allows you to analyse your server logs and to recognise recurring patterns of failures - allowing you to block IP's trying to brutefore your server.

In this tutorial we will describe the installation of Fail2Ban to block brutefoce attacks on SSH on a Ubuntu 14.04 distribution, but the software can be used with any service that is generating log files.

Installation

The installation is really easy, as it can be done using APT:

sudo apt-get install fail2ban

Configuration

Configuring mail notifications

If you already followed the tutorial about setting up LogWatch, you can skip directly to the next step.

If not, continue with the following:

If you don't have a SMTP server running, you need to install postfix:

sudo apt-get install postfix

During the configuration choose Internet Site.

Then open the file /etc/aliases and add the following line:

root: mymailaddress@provider.tld

Surely, you need to adapt it with the address on which you want to receive the reports.

Then activate the new alias:

sudo newaliases

Fail2Ban

We start by copying the configuration file:

cd /etc/fail2ban && sudo cp jail.conf jail.local

The file jail.conf remains the file with the reference parameters.
jail.local will have priority over jail.conf if parameters are modified.

Therefore we will add everything directly in jail.local.

Edit the file /etc/fail2ban/jail.local with your preferred editor.

Here are the parameters which you should modify:

ignoreip = 127.0.0.1/8 : By default we do not apply filtering on localhost IPs, self-banning would not be very useful.
However, you can add your own IPs to avoid being banned by mistake.

bantime = 600 : The time of banning of an IP address. 10 minutes, the duration has to be expressed in seconds. We recommend to set it at least to one hour, or one day.

findtime = 600 : The timespan which will be considered for maxretry. If you want for example to ban somebody who made more than 3 malicious attempts during the last hour or, as here, in the last 10 minutes.

maxretry = 3 : Amount of tries before being banned;

destemail = root@localhost : The recipient of the mail. If you followed the tutorial from the beginning, you can leave it as it is. It will work correctly.

sendername = Fail2Ban : The name of the sender (the default should be OK).

action = %(action_)s : This defines the action to execute when a limit is reached.
By default it will only block the user. If you want to receive an email at each ban, you need to use:

action = %(action_mw)

And if you want to have the logs included, use:

action = %(action_mwl)

Then comes what we call the “Jails”. These are configurable blocks per service to filter logs and ban the bad guys.

As minimum we recommend to activate the jail ssh as follows:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log

The syntax is pretty clear. We start by activating the 'jail' ', following by the port, the filter, and the path to the logs.

Filters are pre-made configuration files indicating what to parse in the log to see, if this is an unsuccessful attempt and retrieve the concerning IP for banishment.

They can be found in /etc/fail2ban/filter.d.
You can create your own filters in case you have need to.

If your SSH daemon is listening on multiple ports or on a different port, you have to modify the line port with the correct parameters:
Here an example:

port    = ssh,2222

Fail2Ban analyses the logs and will ban the users who made several intrusion attempts on ports 22 (SSH by default) & 2222.


Once you made all the changes, you can restart the service to activate all changes:

sudo service fail2ban restart

Now it will analyze the connection attempts to your SSH server. You can find the logs of Fail2Ban in the folder /var/log/fail2ban.log.

Go further

Fail2Ban can do more things than that. You can change the type of action to take when a limit is exceeded, configure it on many services, and even create your own filters!

Its only drawback is that it does not support IPv6, although there is a patch available for it.

Feel free to consult its man page and visit their official website: http://www.fail2ban.org/wiki/index.php/Main_Page