Prevent brute force attacks using fail2ban

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban

2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log

Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18

3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24

Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart

5 comments

  1. How about going a little further and showing how to permanently allow an IP so we will be able to ssh to the box and not lock ourself out?

  2. You should make those changes in jail.local instead of jail.conf. If you update fail2ban it will overwrite the jail.conf with the risk of locking yourself out if something went wrong, because fail2ban isn’t configured with your ignorelist anymore.

  3. It is safer to copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify the latter.
    By doing this way, you can install new versions of configuration files without losing your changes.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>