Step 3: Installing fail2ban

Overview

This tutorial describes how to install and configure the fail2ban service on a Linux machine to prevent brute force attacks against your web servers.  Following the steps in this tutorial, you will be able to prevent some of the most common types of hacking attempts against any of your home computers you have opened up to the internet.

This tutorial is intended for people with minimal knowledge of computer networks and Linux.  You should know how to start the linux terminal on your server machines. The instructions in this tutorial will cover all of the commands you must use and the files you must edit for a basic configuration. More detailed information can be found on the fail2ban.org website.

In this tutorial, you will learn:

  • How to install the fail2ban software on your linux machine.

  • How to configure fail2ban to protect SSH login attempts.

  • How to install exim4 mail server on your linux machine (this step is only required if you want fail2ban to send you email notifications).

This tutorial is written for a Debian based Linux (such as Ubuntu or Mint). For other types of Linux, you will have to adapt some of the install instructions.

Installing fail2ban

The fail2ban application is a service that runs on your Linux machine to prevent common hacking attacks. Fail2ban works by monitoring the log files of different activities on your computer, and then taking action when a suspicious activity is detected. The default action is to ban the attacking address for some period of time by inserting rules in the firewall iptables. You can also configure fail2ban to send you email notifications when attackers have been banned.

  1. Log into a terminal on the server machine. Activate root user:

$sudo -i
  1. Install the fail2ban software

$ sudo apt-get install fail2ban

Fail2ban can be customized to protect any service that writes activity to a log file. The default installation comes pre-configured ready to work with several standard Linux services such as SSH and apache web server. In this example, we will enable fail2ban to protect SSH logins.

  1. Edit the fail2ban jail file with your favorite text editor

$ nano /etc/fail2ban/jail.conf
  1. First set the service mode.  Find the line that says:

backend = auto
  1. Change this line to say:

backend = polling
  1. Now edit the ssh jail settings.  Find the part of the file that says:

[ssh]
enabled  = false
port     = ssh
filter   = sshd
action   = iptables-multiport[name=ssh,port=ssh,protocol=tcp]
logpath  = /var/log/auth.log
maxretry = 3
bantime = 600

  1. Change “enabled = false” to “enabled = true”.  Also, if you have set up SSH on alternate ports (1022 in this example), you should also modify the action line:

[ssh]
enabled  = true
port     = ssh
filter   = sshd
action   = iptables-multiport[name=ssh,port=”22,1022”,protocol=tcp]
logpath  = /var/log/auth.log
maxretry = 3
bantime = 600

  • enabled = true:  turns this jail on

  • port = ssh: this jail is watching the ssh port

  • filter = sshd: this jail uses the regular expressions defined in the file /etc/fail2ban/filter.d/sshd.conf

  • action = iptables …: carries out the action defined in the file /etc/fail2ban/action.d/iptables-multiport.conf

  • logpath = /var/log/auth.log:  is the log file that the filter is applied to

  • maxretry = 3: you can set the number of retries

  • bantime = 600: you can set the ban time in seconds (default is 10 minutes)

  1. Save the file and exit the text editor.

  1. Restart fail2ban for the change to take effect.

$ service fail2ban restart
  1. To test the configuration, try logging into SSH three times with the wrong password.  After your fourth attempt, you will find that your connection attempts are refused for 10 minutes. 

Monitoring fail2ban Activity

You can check the fail2ban logs at any time:

$ sudo nano /var/log/fail2ban.log

You can manually check the results of the fail2ban filter by running the regular expression filter on the log file.  For example, to check the ssh jail activity:

$ fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

You can also configure fail2ban to send you an email when an action is taken. The next section describes how to configure fail2ban to send you notification emails.

Configure fail2ban to Send Email

If you want to configure fail2ban to send you email notifications, you can modify the action to include this instruction

[ssh]
enabled  = true
port     = ssh
filter   = sshd
action   = iptables-multiport[name=ssh,port=”22,1022”,protocol=tcp]
         mail[name=SSH,dest=SomeMailAddress@somedomain.com]
logpath  = /var/log/auth.log
maxretry = 3
bantime = 600

This will send an email to SomeMailAddress@somedomain.com any time fail2ban performs the SSH jail action.

However, you must first have to have a mail server setup on the machine in order to send mail. The final section of this tutorial describes how to setup the exim4 mail server to send fail2ban notifications through your gmail account.

Configure exim4 as a Mail Server

To set up a quick and easy mail server on your linux machine, you can use exim4.

As a super user:

  1. Install the exim4 program

$ apt-get install exim4
  1. Run the package configuration

$ dpkg-reconfigure exim4-config
  1. At the different screen prompts, enter the following:

  • Choose mail sent by smarthost; received via SMTP or fetchmail

  • Type System Mail Name: <enter your computer name>

  • Type IP Adresses to listen on for incoming SMTP connections: 127.0.0.1

  • Leave Other destinations for which mail is accepted empty

  • Leave Machines to relay mail for empty

  • Type Machine handling outgoing mail for this host (smarthost): smtp.gmail.com::587

  • Choose NO, don’t hide local mail name in outgoing mail.

  • Chose NO, don’t keep number of DNS-queries minimal (Dial-on-Demand).

  • Choose mbox

  • Choose NO, split configuration into small files

  • Mail for postmaster. You can leave this blank if you are not taking incoming mail on this server.

  1. Open up /etc/exim4/exim4.conf.template

  1. Find the line that starts with “.ifdef DCconfig_smarthost DCconfig_satellite”

  1. Add the following below the comments following that line, add a section for gmail, and remove the existing smarthost part:

send_via_gmail:
       driver = manualroute
       domains = ! +local_domains
       transport = gmail_smtp
       route_list = * smtp.gmail.com
  1. Remove the existing smarthost part in that section by commenting out. Also remove any other smarthost with “domains = ! +local_domains”, then comment these out as well.

# removed the default smarthost part by commenting out
#smarthost:
#  debug_print = "R: smarthost for $local_part@$domain"
#  driver = manualroute
#  domains = ! +local_domains
#  transport = remote_smtp_smarthost
#  route_list = * DCsmarthost byname
#  host_find_failed = defer
#  same_domain_copy_routing = yes
#  no_more
  1. Find the “begin authenticators” section.  Add the following to that section

gmail_login:
       driver = plaintext
       public_name = LOGIN
       client_send = : yourEmailAddress@gmail.com : Your.gmail.Pa55word
  1. Make sure you have no other authenticators also with the “public_name = LOGIN. If you do, comment them out.

  1. Find the comment  “transport/30_exim4-config_remote_smtp_smarthost”. In that section add

     gmail_smtp:
           driver = smtp
           port = 587
           hosts_require_auth = $host_address
           hosts_require_tls = $host_address
    

    Update the configuration and restart

$ update-exim4.conf

 

$ /etc/init.d/exim4 restart

To test the mail server, send an email from the command line:

$ exim -v 'mailToSendTo@theirDomain.com'
message here

^D ( control D ) to send the message

If everything works, then the command prompt will tell you when the mail is sent, and you should see it in the inbox of mailToSendTo@theirDomain.com.

References and Additional Reading