×
Community Blog How to Install Fail2ban to Protect Against Brute Force Login Attacks

How to Install Fail2ban to Protect Against Brute Force Login Attacks

In this tutorial, you learn how to install Fail2ban on an ECS instance to protect your SSH and Apache services from brute force login attacks.

By Hitesh Jethva, Alibaba Cloud Community Blog author. The Blog is a community-driven platform whose main aim is to demonstrate Alibaba Cloud's technical capabilities, brand message, and thought leadership through relevant, compelling content.

Fail2Ban is a free and open source intrusion prevention software framework that can be used to protect your server from brute-force attacks. Fail2Ban works by continuously monitoring log files (SSH, Apache, Auth) and bans IP addresses that have the malicious signs such as accruing many password failures.

In this tutorial, you will learn how to install and configure Fail2Ban to protect your SSH and Apache services from brute force login attacks on an Alibaba Cloud Elastic Compute Service (ECS) instance that is installed with Ubuntu 16.04.

Requirements

  • A newly created ECS instance installed with Ubuntu 16.04.
  • The static IP address 192.168.43.193 is set up for your instance.
  • A root password is set up for your instance.

Procedure

To install and configure Fail2Ban to protect against brute force login attacks, complete the following steps:

Launch an Alibaba Cloud ECS Instance

First, log on to your Alibaba Cloud ECS Console. Then, create a new ECS instance with Ubuntu 16.04 as the operating system and with at least 2GB RAM. Connect to your ECS instance and log on as the root user.

After you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Apache and Fail2Ban

First, you will need to install Apache web server and Fail2Ban to your server. You can install it by running the following command:

apt-get install apache2 fail2ban -y

After the installation is complete, you can proceed to the next step.

Configure Fail2Ban

By default, all the configuration files of Fail2Ban are located inside /etc/fail2ban/ directory. You can list all of them with the following command:

ls -l /etc/fail2ban

The output is as follows:

drwxr-xr-x 2 root root  4096 Nov  7 12:04 action.d
-rw-r--r-- 1 root root  2328 Aug  1  2015 fail2ban.conf
drwxr-xr-x 2 root root  4096 Aug  2  2015 fail2ban.d
drwxr-xr-x 3 root root  4096 Nov  7 12:04 filter.d
-rw-r--r-- 1 root root 18562 Aug  1  2015 jail.conf
drwxr-xr-x 2 root root  4096 Nov  7 12:04 jail.d
-rw-r--r-- 1 root root  1939 Aug  1  2015 paths-common.conf
-rw-r--r-- 1 root root   642 Aug  1  2015 paths-debian.conf

From the above listed files, jail.conf is the main configuration file that contains a set of pre-defined filters. We recommend that you create a separate file /etc/fail2ban/jail.local.

nano /etc/fail2ban/jail.local

Add the following lines:

##Block the remote host that is trying to request suspicious URLs.
 [apache-overflows]
 enabled = true
 port = http,https
 filter = apache-overflows
 logpath = /var/log/apache2/*error.log
 maxretry = 4
 bantime = 300
 ignoreip = 192.168.43.193

##Block the remote host that is trying to search for scripts on the website to execute.
 [apache-noscript]
 enabled = true
 port = http,https
 filter = apache-noscript
 logpath = /var/log/apache2/*error.log
 maxretry = 4
 bantime = 300
 ignoreip = 192.168.43.193

 ##Block the remote host that is trying to request malicious bot.
 [apache-badbots]
 enabled = true
 port = http,https
 filter = apache-badbots
 logpath = /var/log/apache2/*error.log
 maxretry = 4
 bantime = 300
 ignoreip = 192.168.43.193

 ##Stop DOS attack from remote host. 
[http-get-dos]
 enabled = true
 port = http,https
 filter = http-get-dos
 logpath = /var/log/apache*/access.log
 maxretry = 400
 findtime = 400
 bantime = 200
 ignoreip = 192.168.43.193
 action = iptables[name=HTTP, port=http, protocol=tcp]

 ##Block the failed login attempts on the SSH server.
 [ssh]
 enabled = true
 port = ssh
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 4
 bantime = 300
 ignoreip = 192.168.43.193

Save and close the file, when you are finished.

ignoreip : This option allows us to whitelist the IP addresses that can not be blocked by Fail2ban.
bantime : The number of seconds that a remote host is banned.
findtime : This option specifies the time period (in seconds) that login retries are counted.
maxretry : This option specifies the number of failures before a host gets banned.
logpath : This option specifies the location of the services log file.

Next, create the filter file /etc/fail2ban/filter.d/http-get-dos.conf.

nano /etc/fail2ban/filter.d/http-get-dos.conf

Add the following lines:

 # Fail2Ban configuration file 
 [Definition]
 
 # Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
 # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex 
 ignoreregex =

When finished, save and close the file. Next, restart Fail2Ban to apply the changes:

systemctl restart fail2ban

Next, check the status of all jails:

fail2ban-client status

The output is as follows:

Status
|- Number of jail:    7
`- Jail list:    apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, ssh, sshd

You can also see the rules added by Fail2Ban by running the following command:

iptables -L

The output is as follows:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-HTTP (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-apache (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-apache-badbots (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-apache-noscript (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-apache-overflows (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Test Fail2Ban

Fail2Ban is now installed and configured. It's time to test whether it is working or not. Now, go to the client machine and perform DDOS attack against Fail2Ban server with the following command:

nikto -h 192.168.43.193 -C all

The output is as follows:

- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          192.168.43.193
+ Target Hostname:    192.168.43.193
+ Target Port:        80
+ Start Time:         2018-11-08 10:51:54
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ ETag header found on server, fields: 0x2cf6 0x53f96e8a38fad 
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 

Now, go to the Fail2Ban machine and check log file:

tail -f /var/log/fail2ban.log 

You will see the following output:

2018-11-07 13:31:11,757 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,757 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,758 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,761 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,764 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,765 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,766 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,767 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4

You can also check the Fail2Ban banning status by running the following command:

fail2ban-client status http-get-dos

You will see that Fail2Ban has blocked the remote host IP address:

Status for the jail: http-get-dos
|- Filter
|  |- Currently failed:    2
|  |- Total failed:    650
|  `- File list:    /var/log/apache2/access.log
`- Actions
   |- Currently banned:    1
   |- Total banned:    1
   `- Banned IP list:    192.168.43.4

Next, go to the client machine and perform a failed login attempt against Fail2Ban server:

ssh root@192.168.43.193

Enter the wrong password four times. After you have reached the failed login limit, you will be blocked for 300 seconds (or 5 minutes).

root@192.168.43.193's password: 
Permission denied, please try again. 
root@192.168.43.193's password: 
Permission denied, please try again. 
root@192.168.43.193's password: 
Permission denied, please try again. 
root@192.168.43.193's password: 
Permission denied, please try again. 
root@192.168.43.193's password: 
ssh: connect to host 192.168.43.193 port 22: Connection refused

Now, go to the Fal2Ban server and check log file:

tail -f /var/log/fail2ban.log

The output is as follows:

2018-11-07 13:43:54,928 fail2ban.filter         [4225]: INFO    [ssh] Found 192.168.43.4
2018-11-07 13:43:55,657 fail2ban.filter         [4225]: INFO    [sshd] Found 192.168.43.4
2018-11-07 13:43:55,684 fail2ban.filter         [4225]: INFO    [ssh] Found 192.168.43.4
2018-11-07 13:43:55,944 fail2ban.actions        [4225]: NOTICE  [ssh] Ban 192.168.43.4

You can also verify the SSH banning status by running the following command:

fail2ban-client status ssh

You will see that your IP address has been blocked by Fail2Ban:

Status for the jail: ssh
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    4
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned:    1
   |- Total banned:    1
   `- Banned IP list:    192.168.43.4

You can also check the new rules added by the Iptables by running the following command:

iptables -S

The output is as follows:

-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m tcp --dport 80 -j f2b-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-badbots
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-HTTP -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-HTTP -j RETURN
-A f2b-apache -j RETURN
-A f2b-apache-badbots -j RETURN
-A f2b-apache-noscript -j RETURN
-A f2b-apache-overflows -j RETURN
-A f2b-ssh -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-ssh -j RETURN
-A f2b-sshd -j RETURN

Fail2Ban also allows you to block and unblock IP address of the remote host manually. Run the following command to unblock the IP address 192.168.43.4 for SSH service:

fail2ban-client set ssh unbanip 192.168.43.4

Run the following command to block the IP address 192.168.43.4 for SSH service:

fail2ban-client set ssh banip 192.168.43.4
0 0 0
Share on

Alibaba Clouder

1,403 posts | 218 followers

You may also like

Comments

Alibaba Clouder

1,403 posts | 218 followers

Related Products

  • Managed Security Service

    Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security service

    Learn More
  • Security Center

    Security Center is a flagship security product that integrates both Server Guard and Threat Detection Service. It is a unified security management system that recognizes, analyzes, and alerts of security threats in real-time.

    Learn More
  • Anti-DDoS Premium

    By leveraging Anycast to redirect malicious traffic to globally distributed scrubbing centers close to the source of the internet traffic, Anti-DDos Premium protects servers against volumetric DDoS attacks.

    Learn More