Secure for brute-force attempts : Fail2Ban

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

 

Before we set our first webpage now it's time to install something to prevent Brute-force attempts on our VPS. My choose here: Fail2ban, first - because of its low requirements and scalability (it can run even on 256MB VPS) and two: because it can run on a openVZ VPS, other software ie. CSF will require additional iptables modules which those openVZ conatiners - which we call "VPS" - doesn't have at the moment. Fail2Ban many times proven - it's worth installing.

Info: Fail2ban operates by monitoring log files (e.g. /var/log/maillog, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

If you're already watched some logs, especially after we installed mail-server and seen many of those
i.e.

$ cat /var/log/maillog* | grep "auth failed" | more

Aug 11 08:40:31 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:40:39 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:40:41 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:40:49 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:40:52 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:40:59 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:41:02 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:41:10 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:41:12 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:41:19 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
Aug 11 08:41:20 vps dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=71.177.32.18, lip=212.1.xxx.xxx
That's a BF (Brute Force) attempt on Dovecot on our VPS.

So:

$ yum install fail2ban

and check if it's on autostart:

[root@server][~]
$ chkconfig fail2ban --list
fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off
 

Configuration files:

/etc/fail2ban/
          - /filter.d/
          - /action.d/
          - /fail2ban.conf
          - /jail.conf

Now, first important thing:

Edit jail.conf and add your home IP from which you're connecting to VPS into the ignoreip variable, search for the variable and edit:

ignoreip = 127.0.0.1/8
TO
ignoreip = 127.0.0.1/8 yourhomeIP yourworkIP

You may look more into jail.conf to get the idea out how it works: i.e.

This is called a jail:

[vsftpd-iptables]
enabled = true
filter = vsftpd 
action = iptables-multiport[name=FTP, port="ftp,ftps"] 
sendmail-whois[name=VSFTPD, dest=jtkirk@localhost] 
logpath = /var/log/vsftpd.log 
maxretry = 3 
 

enabled = true # enables a jail
filter = vsftpd # regexp filter from /filter.d/vsftpd.conf
action = iptables-multiport[name=FTP, port="ftp,ftps"] # actions from /action.d/
                sendmail-whois[name=VSFTPD, dest=jtkirk@localhost] # action mail with notification
logpath = /var/log/vsftpd.log # log to watch
maxretry = 3 # how many 'filter' positives before run 'action'

 

My example jail configurations:

 
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port="ssh,3666", protocol=tcp]
sendmail-whois[name=SSH, dest=jtkirk@localhost, sender=jtkirk@localhost]
logpath = /var/log/secure
maxretry = 5

[sasl-iptables]
enabled = true
filter = sasl
action = iptables-multiport[name=sasl, port="smtp,imap,imaps,pop3,pop3s", protocol=tcp]
sendmail-whois[name=sasl, dest=jtkirk@localhost]
logpath = /var/log/maillog

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, port="ftp,ftps"]
sendmail-whois[name=VSFTPD, dest=jtkirk@localhost]
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 9800
findtime = 600

[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=jtkirk@localhost]
logpath = /var/log/httpd/*access_log
/var/log/httpd/*error.log
bantime = 172800
maxretry = 1

[apache-myadmin]
enabled = true
filter = apache-myadmin
port = http,https
logpath = /var/log/httpd/*error.log
action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp]
sendmail-buffered[name=apache-myadmin, lines=5, dest=jtkirk@localhost]
maxretry = 10
bantime = 84600

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap,pop3s,imaps", protocol=tcp]
sendmail-whois[name=Dovecot-Maillog, dest=jtkirk@localhost]
logpath = /var/log/maillog
maxretry = 6
findtime = 1200
bantime = 7200

[apache-wootwoot]
enabled = true
filter = apache-wootwoot
action = iptables-multiport[name=HTTP, port="80,443", protocol=tcp]
sendmail-buffered[name=w00tw00t, lines=5, dest=jtkirk@localhost]
logpath = /var/log/httpd/*error.log
maxretry = 1
bantime = 864000
findtime = 600
 

You can download my own actions/filters which I use from here: http://sh.beadmin.2tl.eu/fail2ban.tar.gz

Testing filter regex:

You can write your own filters and check them with i.e. :

$ /usr/bin/fail2ban-regex /var/log/access_log /etc/fail2ban/filter.d/myfilter-w00tw00t.conf

Run Fail2Ban:

If you entered your IP in ignoreip and enabled some jails now it's time to run fail2ban

$ service fail2ban start

And you may look into the Fail2Ban log: 

$ cat /var/log/fail2ban.log |grep "Ban"

2013-08-12 05:49:31,474 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 71.177.32.18
 

$ iptables -nL

Chain fail2ban-dovecot-maillog (1 references)
target prot opt source destination
DROP all -- 71.177.32.18 0.0.0.0/0
 

Oh look, that scum got banned already - yupii!! :-P

Some Fail2Ban tricks and tune-ups later.