How to configure fail2ban

One of the requirements of running a production server with public IP addresses is the issue of hacking and DOS attacks.

To alleviate this issue and stop all of these attack bots and script kiddies from continually giving your server a pounding with fake login attempts or attempting to gain access to your systems, Fail2Ban is designed to assist in stopping these attempts.

This is by no means an exhaustive guide to setting up Fail2Ban though it will at least provide a workable configuration, particularly for SSH, which is quite often exposed to connection in many cases when running servers in cloud-based server farms such as Azure, AWS, Vultr, Linode and such to name just a few of the largest.

As just a quick example of the frequency of hack attempts and how well Fail2Ban can block incorrect and unknown login attempts, following is one page of a log file from one of my production servers.

As you can see the attempted logins are pretty relentless, though they'd be far more so without Fail2Ban installed and working.


Service name: 

    fail2ban

Installation package name:

    fail2ban

Default installation folder: 

/usr/

Default configuration file:

    /etc/fail2ban/fail2ban.conf

Run the following command:


    apt-get install fail2ban


Edit the following file. If it doesn't exist when fail2ban is installed, the create it:


    vim /etc/fail2ban/jail.local


Add the following contents under the [DEFAULT] section:


[DEFAULT]
# MISCELLANEOUS OPTIONS


# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 

# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...

bantime.increment = true




# "bantime.rndtime" is the max number of seconds using for mixing with random time 


# to prevent "clever" botnets calculate exact time IP can be unbanned again: 


bantime.rndtime = 23


# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)  

bantime.maxtime = 32000


# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,


# default value of factor is 1 and with default value of formula, the ban time

# grows by 1, 2, 4, 8, 16 ...


bantime.factor = 2


# "bantime.formula" used by default to calculate next value of ban time, default value below,


# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...


bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor


# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
# previously ban count and given "bantime.factor" (for multipliers default is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,

# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,



# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day



bantime.multipliers = 1 5 30 60 300 720 1440 2880



# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched


bantime.overalljails = true

# --------------------
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.


ignoreself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1


# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
# ignorecommand = /path/to/command
#ignorecommand =
# "bantime" is the number of seconds that a host is banned.


bantime


# A host is banned if it has generated "maxretry" during the last "findtime"


findtime = 10m


# "maxretry" is the number of failures before a host get banned.


maxretry = 5
# "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions).


maxmatches = %(maxretry)s


# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
Specifying "logpath" is not valid for this backend.
See "journalmatch" in the jails associated filter config will try to use the following backends, in order: pyinotify, gamin, polling.
# Note: if systemd backend is chosen as the default but you enable a jail for which logs are present only in its own log files, specify some other backend for that jail (e.g. polling) and provide empty value for journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200



backend = auto


# "usedns" specifies if jails should trust hostnames in logs, warn when DNS lookups are performed, or ignore all hostnames in logs if a hostname is encountered, a DNS lookup will be performed. if a hostname is encountered, a DNS lookup will be performed, but it will be logged as a warning.

# no: if a hostname is encountered, will not be used for banning, but it will be logged as info.

# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) 


usedns = warn


# "logencoding" specifies the encoding of the log files handled by the jail  

Discussion

Post a Comment
Copyright © 2023 Christian Bannard
Name

false
ltr
static_page
Tech Lab: How to configure fail2ban
How to configure fail2ban
Tech Lab
https://techlab.connektiv8.com/p/how-to-configure-fail2ban.html
https://techlab.connektiv8.com/
https://techlab.connektiv8.com/
https://techlab.connektiv8.com/p/how-to-configure-fail2ban.html
true
5093225316588518036
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network