Linux Security with Fail2Ban

Linux is built to be inherently secure, and has a great track record of having superior security to its proprietary counterpart.

However, in the world of server administration, paranoia is an asset. How else could someone get in? How can I prevent that? How can I be notified?

One magnificent contribution to the security of Linux servers the world over is called fail2ban. Why should you care?

From the Fail2ban main page:

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

So basically, it gives the finger to those mean people who are trying to brute-force your ssh server. And it blocks them at the packet level with iptables. No iptables knowledge necessary. (Though if you want a quickie, take a look at this short “Iptables for Linux” intro).

For openSUSE users, check to see if you have it available using zypper:

[1049][root@laptop:~]$ zypper search fail2ban

If you find it, use zypper install fail2ban to get it on your box.

If you have trouble getting it installed, follow the seriously excellent advice on the fail2ban download page.

When you get it installed, as root, edit your /etc/fail2ban/jail.conf file.

Put your ip addresses in the ignoreip list so you don’t lock yourself out.

bantime is in seconds. 1 hour is 1440 seconds. 24 hours is 86400. I put in at least 24 hours. Do what works for you.

maxretry is how many tries a user gets before they’re blocked for bantime seconds. 3 to 5 chances seems more than generous.

Now to set up the notification.

In the same file, look for the section called [ssh-iptables]. Change this section so it looks like this:

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=notrealemail@suseblog.com, sender=fail2ban@suseblog.com]
logpath = /var/log/messages
maxretry = 3

If you don’t want the ‘whois’ info, take out the ‘-whois’ from the sendmail part. Change the dest email to your own, and set the sender to whatever you want. Maxretry will override the default that you set further up. In logpath, put in the system log, or wherever your sshd logs stuff. Mine happens to be what you see there.

When it’s set up as you like, save and quit.

Now, fire that bad fool up:

[1607][root@mail:/etc/fail2ban]$ fail2ban-client start
2009-11-27 16:07:46,554 fail2ban.server : INFO Starting Fail2ban v0.8.4
2009-11-27 16:07:46,555 fail2ban.server : INFO Starting in daemon mode
[1607][root@mail:/etc/fail2ban]$

To make it run when the machine restarts, use chkconfig:

[1607][root@mail:/etc/fail2ban]$ chkconfig -a fail2ban
fail2ban 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[1610][root@mail:/etc/fail2ban]$

Within at least a few hours, you should get notifications. Or, you can have someone try and brute force your box and see if their IP gets banned.

If you read through jail.conf, you’ll see that fail2ban can do loads more than I’ve covered here. But if you want a little more armor on ssh, your biggest target, slap fail2ban on your box.

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.