By Hitesh Jethva, Alibaba Cloud Community Blog author. The Blog is a community-driven platform whose main aim is to demonstrate Alibaba Cloud's technical capabilities, brand message, and thought leadership through relevant, compelling content.
Fail2Ban is a free and open source intrusion prevention software framework that can be used to protect your server from brute-force attacks. Fail2Ban works by continuously monitoring log files (SSH, Apache, Auth) and bans IP addresses that have the malicious signs such as accruing many password failures.
In this tutorial, you will learn how to install and configure Fail2Ban to protect your SSH and Apache services from brute force login attacks on an Alibaba Cloud Elastic Compute Service (ECS) instance that is installed with Ubuntu 16.04.
To install and configure Fail2Ban to protect against brute force login attacks, complete the following steps:
First, log on to your Alibaba Cloud ECS Console. Then, create a new ECS instance with Ubuntu 16.04 as the operating system and with at least 2GB RAM. Connect to your ECS instance and log on as the root user.
After you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
First, you will need to install Apache web server and Fail2Ban to your server. You can install it by running the following command:
apt-get install apache2 fail2ban -y
After the installation is complete, you can proceed to the next step.
By default, all the configuration files of Fail2Ban are located inside /etc/fail2ban/ directory. You can list all of them with the following command:
ls -l /etc/fail2ban
The output is as follows:
drwxr-xr-x 2 root root 4096 Nov 7 12:04 action.d
-rw-r--r-- 1 root root 2328 Aug 1 2015 fail2ban.conf
drwxr-xr-x 2 root root 4096 Aug 2 2015 fail2ban.d
drwxr-xr-x 3 root root 4096 Nov 7 12:04 filter.d
-rw-r--r-- 1 root root 18562 Aug 1 2015 jail.conf
drwxr-xr-x 2 root root 4096 Nov 7 12:04 jail.d
-rw-r--r-- 1 root root 1939 Aug 1 2015 paths-common.conf
-rw-r--r-- 1 root root 642 Aug 1 2015 paths-debian.conf
From the above listed files, jail.conf is the main configuration file that contains a set of pre-defined filters. We recommend that you create a separate file /etc/fail2ban/jail.local.
nano /etc/fail2ban/jail.local
Add the following lines:
##Block the remote host that is trying to request suspicious URLs.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to search for scripts on the website to execute.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to request malicious bot.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 192.168.43.193
action = iptables[name=HTTP, port=http, protocol=tcp]
##Block the failed login attempts on the SSH server.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
Save and close the file, when you are finished.
ignoreip : This option allows us to whitelist the IP addresses that can not be blocked by Fail2ban.
bantime : The number of seconds that a remote host is banned.
findtime : This option specifies the time period (in seconds) that login retries are counted.
maxretry : This option specifies the number of failures before a host gets banned.
logpath : This option specifies the location of the services log file.
Next, create the filter file /etc/fail2ban/filter.d/http-get-dos.conf.
nano /etc/fail2ban/filter.d/http-get-dos.conf
Add the following lines:
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =
When finished, save and close the file. Next, restart Fail2Ban to apply the changes:
systemctl restart fail2ban
Next, check the status of all jails:
fail2ban-client status
The output is as follows:
Status
|- Number of jail: 7
`- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, ssh, sshd
You can also see the rules added by Fail2Ban by running the following command:
iptables -L
The output is as follows:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-HTTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Fail2Ban is now installed and configured. It's time to test whether it is working or not. Now, go to the client machine and perform DDOS attack against Fail2Ban server with the following command:
nikto -h 192.168.43.193 -C all
The output is as follows:
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.43.193
+ Target Hostname: 192.168.43.193
+ Target Port: 80
+ Start Time: 2018-11-08 10:51:54
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ ETag header found on server, fields: 0x2cf6 0x53f96e8a38fad
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
Now, go to the Fail2Ban machine and check log file:
tail -f /var/log/fail2ban.log
You will see the following output:
2018-11-07 13:31:11,757 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,757 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,758 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,761 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,764 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,765 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,766 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,767 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
You can also check the Fail2Ban banning status by running the following command:
fail2ban-client status http-get-dos
You will see that Fail2Ban has blocked the remote host IP address:
Status for the jail: http-get-dos
|- Filter
| |- Currently failed: 2
| |- Total failed: 650
| `- File list: /var/log/apache2/access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
Next, go to the client machine and perform a failed login attempt against Fail2Ban server:
ssh root@192.168.43.193
Enter the wrong password four times. After you have reached the failed login limit, you will be blocked for 300 seconds (or 5 minutes).
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
ssh: connect to host 192.168.43.193 port 22: Connection refused
Now, go to the Fal2Ban server and check log file:
tail -f /var/log/fail2ban.log
The output is as follows:
2018-11-07 13:43:54,928 fail2ban.filter [4225]: INFO [ssh] Found 192.168.43.4
2018-11-07 13:43:55,657 fail2ban.filter [4225]: INFO [sshd] Found 192.168.43.4
2018-11-07 13:43:55,684 fail2ban.filter [4225]: INFO [ssh] Found 192.168.43.4
2018-11-07 13:43:55,944 fail2ban.actions [4225]: NOTICE [ssh] Ban 192.168.43.4
You can also verify the SSH banning status by running the following command:
fail2ban-client status ssh
You will see that your IP address has been blocked by Fail2Ban:
Status for the jail: ssh
|- Filter
| |- Currently failed: 0
| |- Total failed: 4
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
You can also check the new rules added by the Iptables by running the following command:
iptables -S
The output is as follows:
-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m tcp --dport 80 -j f2b-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-badbots
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-HTTP -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-HTTP -j RETURN
-A f2b-apache -j RETURN
-A f2b-apache-badbots -j RETURN
-A f2b-apache-noscript -j RETURN
-A f2b-apache-overflows -j RETURN
-A f2b-ssh -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-ssh -j RETURN
-A f2b-sshd -j RETURN
Fail2Ban also allows you to block and unblock IP address of the remote host manually. Run the following command to unblock the IP address 192.168.43.4 for SSH service:
fail2ban-client set ssh unbanip 192.168.43.4
Run the following command to block the IP address 192.168.43.4 for SSH service:
fail2ban-client set ssh banip 192.168.43.4
2,599 posts | 762 followers
FollowAlibaba Clouder - June 10, 2019
francisndungu - May 29, 2019
francisndungu - October 19, 2018
Alibaba Clouder - July 22, 2020
Alibaba Clouder - June 12, 2019
Alibaba Clouder - January 9, 2019
2,599 posts | 762 followers
FollowAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreSimple, secure, and intelligent services.
Learn MoreProtect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.
Learn MoreThis solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.
Learn MoreMore Posts by Alibaba Clouder