How to Configure Fail2Ban to Block Malicious Logins

Introduction:

Fail2Ban is a tool used to ban malicious logins that result from multiple authentication errors. By scanning log files (such as /var/log/auth.log), this tool can identify and ban IP addresses with excessive failed login attempts. It accomplishes this by updating the system's firewall rules, denying new connections from these IP addresses. Although Fail2Ban can reduce the frequency of erroneous authentication attempts, it cannot entirely eliminate the risks posed by weak authentication. It's recommended to set up two-factor or public key/private key authentication mechanisms to further enhance security.

Environment Requirements:

• Python version >= 3.5 or PyPy3

  python3 --version
  pypy3 --version

• python-setuptools and python-distutils (or python3-setuptools)

  Try importing these two modules in the Python interpreter to check if they are installed:

  import setuptools
  import distutils

  No error means successful installation.

  Installation method:

  # Debian or Ubuntu 
  sudo apt-get install python3-setuptools python3-distutils
  # CentOS or RHEL
  sudo yum install python3-setuptools  

  (Note: In most cases, on CentOS or RHEL systems, distutils is typically automatically installed during Python installation.)

• (Optional) pyinotify >= 0.8.3, might require:

  • Linux version >= 2.6.13

• (Optional) systemd >= 204 bound with python:

  • python-systemd package
• (Optional) dnspython

Deployment Method:

Step 1: Download the source code

• You can directly download the tar file and then extract it:

  tar xvfj fail2ban-master.tar.bz2
  cd fail2ban-master

• Or you can clone the source code from GitHub:

  git clone https://github.com/fail2ban/fail2ban.git
  cd fail2ban

Step 2: Run the installation script

In the directory where the source code was downloaded, run the following command to install:

sudo python setup.py install

This will install Fail2Ban into the python library directory, place executable scripts in /usr/bin, and configuration files in /etc/fail2ban.

Step 3: Check if Fail2Ban was installed correctly

fail2ban-client -h

You can use the following command to view the installed Fail2Ban version:

fail2ban-client version

Step 4: Set Fail2ban as an auto-start service

Copy the script suitable for your Linux distribution from the files directory to /etc/init.d.

For example, on a Debian system:

cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
service fail2ban start

Step 5: Specific configuration

You can view the detailed configuration guide with fail2ban-client -h.

Example: Configure Fail2Ban to permanently block IPs that have 3 failed login attempts within 10 minutes:

1. Create a jail. Here, name the jail as myjail and use polling as the backend:

   fail2ban-client add myjail polling

2. Set the jail log path. Here, set /var/log/auth.log as the monitored log file:

   fail2ban-client set myjail addlogpath /var/log/auth.log

3. Add a failed regex pattern. This expression will be used to match login failure log entries. The exact expression may need to be modified based on the actual log format:

   fail2ban-client set myjail addfailregex '^Failed password for .* from <HOST>'

4. Set the ban time. Here, set bantime to -1, meaning once an IP is banned, the ban will never expire:

   fail2ban-client set myjail bantime -1

5. Set the failure count. Here, set maxretry to 3, meaning if an IP address fails to log in 3 times within the findtime, it will be banned:

   fail2ban-client set myjail maxretry 3

6. Set the search time. Here, set findtime to 600, meaning if an IP address has 3 failed logins within the past 10 minutes (600 seconds), it will be banned:

   fail2ban-client set myjail findtime 600

7. Finally, start the jail:

   fail2ban-client start myjail

After completing the above steps, Fail2Ban will start monitoring the /var/log/auth.log file, and any IP address that fails to log in 3 times within 10 minutes will be permanently banned.

Related Links:

GitHub link: https://github.com/fail2ban/fail2ban