How to Configure Fail2Ban to Block Malicious Logins
Introduction:
Fail2Ban is a tool used to ban malicious logins that result from multiple authentication errors. By scanning log files (such as /var/log/auth.log), this tool can identify and ban IP addresses with excessive failed login attempts. It accomplishes this by updating the system's firewall rules, denying new connections from these IP addresses. Although Fail2Ban can reduce the frequency of erroneous authentication attempts, it cannot entirely eliminate the risks posed by weak authentication. It's recommended to set up two-factor or public key/private key authentication mechanisms to further enhance security.
Environment Requirements:
Python version >= 3.5 or PyPy3
python-setuptools and python-distutils (or python3-setuptools)
Try importing these two modules in the Python interpreter to check if they are installed:
No error means successful installation.
Installation method:
(Note: In most cases, on CentOS or RHEL systems, distutils is typically automatically installed during Python installation.)
(Optional) pyinotify >= 0.8.3, might require:
- Linux version >= 2.6.13
(Optional) systemd >= 204 bound with python:
- python-systemd package
- (Optional) dnspython
Deployment Method:
Step 1: Download the source code
You can directly download the tar file and then extract it:
Or you can clone the source code from GitHub:
Step 2: Run the installation script
In the directory where the source code was downloaded, run the following command to install:
This will install Fail2Ban into the python library directory, place executable scripts in /usr/bin, and configuration files in /etc/fail2ban.
Step 3: Check if Fail2Ban was installed correctly
You can use the following command to view the installed Fail2Ban version:
Step 4: Set Fail2ban as an auto-start service
Copy the script suitable for your Linux distribution from the files directory to /etc/init.d.
For example, on a Debian system:
Step 5: Specific configuration
You can view the detailed configuration guide with fail2ban-client -h.
Example: Configure Fail2Ban to permanently block IPs that have 3 failed login attempts within 10 minutes:
Create a jail. Here, name the jail as
myjailand usepollingas the backend:Set the jail log path. Here, set
/var/log/auth.logas the monitored log file:Add a failed regex pattern. This expression will be used to match login failure log entries. The exact expression may need to be modified based on the actual log format:
Set the ban time. Here, set
bantimeto-1, meaning once an IP is banned, the ban will never expire:Set the failure count. Here, set
maxretryto3, meaning if an IP address fails to log in 3 times within thefindtime, it will be banned:Set the search time. Here, set
findtimeto600, meaning if an IP address has 3 failed logins within the past 10 minutes (600 seconds), it will be banned:Finally, start the jail:
After completing the above steps, Fail2Ban will start monitoring the /var/log/auth.log file, and any IP address that fails to log in 3 times within 10 minutes will be permanently banned.
Related Links:
GitHub link: https://github.com/fail2ban/fail2ban
Original link:http://enblog.fuyiran.link/Technology/4.html
Copyright: All posts on this blog, unless otherwise stated, are published using theCC BY-NC-SA 4.0 license agreement. Please indicate the source for reprinting Fu Speaking (enblog.fuyiran.link)