Content

Overview

Fail2Ban is an intrusion prevention program that protects server computers from brute-force attacks. It is developed in Python and runs on POSIX systems that have a packet control system or locally installed firewall such as iptables, TCP Wrapper.

In Fail2Ban the log files (eg: /var/log/auth.log, /var/log/apache/access.log, etc.), which runs various filtering scripts to look for patterns to detect attacks or attempts. If you find the number of patterns specified in the filters in the log file, you use the system firewall to disable the attacker. IP addresses until the specified time. These patterns can be, for example, attempts to enter various server services (FTP, SSH, SMTP, etc.), or even that ApacheSomeone is trying to perform attacks against the web server. In the configuration files, you can specify the number of attempts and the time slot within which the specified patterns must gather, and how long the blocking should be in effect for the program's protection system to take effect.

By default, Fail2B is configured to unblock blocked attacks after a specified amount of time so that it cannot exclude real connections that have been temporarily misconfigured. However, usually a few minutes of blocking time are sufficient to prevent the network connection from being flooded with malicious attempts and further attempts.

The protection system can perform several actions when it detects a malicious IP address:

• Update firewall rules (eg Netfilter, iptables)
• You can modify the TCP Wrapper hosts.deny table
• You can send email notifications
• You can do anything else that can be done in a Python script.

This allows administrators to determine what actions to perform for each type of attack.

The basic configuration includes Apache, lighttpd, sshd, vsftpd, gmail, Postfix and the Courier Mail Servers filters. The filters regular expressions patterns of undesirable activities can be identified. The combination of the filter and its associated action is known as "Jail", which determines what happens to the malicious IP address. In addition to the Jails shipped with the basic configuration, you can create additional Jail settings that are related to network activity that creates log files. This allows Fail2B to work effectively with most network services.

Jail-s

Basic configuration jail settings a /etc/fail2ban/jail.conf are defined in a file that can be modified as desired. However, in addition to the file, the system also offers an overwrite file: /etc/fail2ban/jail.local, in which it is more convenient to make custom settings (change originals, add new ones) and leave the originals intact. This makes it easy to restore the original setting in the event of any error.

An entry in these jail files typically looks like this:

[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
findtime = 3600
maxretry = 3
bantime  = 86400

Where you specify the section in square brackets that the setting is about. After that the parameters come:

• enabled: Whether the filter rule (jail) is enabled
• port: which monitors ports
• filter: Filter file name.
• logpath: It looks for patterns in this log file.
• findtime: Watching for such a time slice, this is where the specified number of samples must accumulate
• maxretry: And that's the maximum number of samples you set after the very first one.
• bantime: The duration of the ban, in seconds

The filter files are a /etc/fail2ban/filter.d are stored in a directory, they are read from here.

Therefore, Fail2B is a very important part of the Linux server's defense line, which can be used to effectively combat attacks.