Security

How to Setup an IPS (Fail2ban) to Protect from Different Attacks

IPS or Intrusion Prevention System is a technology used in network security to examine network traffic and prevent different attacks by detecting malicious inputs. Apart from just detecting malicious inputs as Intrusion Detection System does, it also prevents the network from malicious attacks. It can prevent the network from brute-force, DoS (Denial of Service), DDoS (Distributed Denial of Service), Exploits, worms, viruses, and other common attacks. IPS are placed just behind the firewall, and they can send alarms, drop malicious packets and block offending IP addresses. In this tutorial, we will use Fail2ban, which is an Intrusion Prevention Software package, to add a security layer against different brute force attacks.

How Fail2ban Works

Fail2ban reads the log files (e.g. /var/log/apache/error_log) and gets the offending IPs that are attempting too many failed passwords or seeking for exploits. Basically, Fail2ban updates firewall rules to block different IPs on the server. Fail2ban also provides filters using which we can use for a specific service (e.g., apache, ssh, etc.).

Installing Fail2ban

Fail2ban does not come pre-installed on Ubuntu, so before using it, we have to install it.

[email protected]:~$ sudo apt-get update -y

[email protected]:~$ sudo apt-get install fail2ban

After installing Fail2ban, start and enable the Fail2ban service using the command line.

[email protected]:~$ sudo systemctl start fail2ban

[email protected]:~$ sudo systemctl enable fail2ban


Now check the status of the fail2ban service to confirm whether it started or not.

[email protected]:~$ sudo systemctl status fail2ban

Configuring Fail2ban For SSH

We can configure Fail2ban by modifying /etc/fail2ban/jail.conf file. Before modifying it, take a backup of this file.

[email protected]:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we will configure Fail2ban to prevent sshd service from malicious inputs. Open /etc/fail2ban/jail.local file in your favourite editor.

[email protected]:~$ sudo nano /etc/fail2ban/jail.local

Go to the [default] section and enter configuration parameters under [default] section.

[DEFAULT]

ignoreip = 127.0.0.1/8 192.168.18.10/32

bantime = 300

maxretry = 2

findtime = 600

ignoreip is the list of cidr mask, ip address, or DNS host separated by a space character. Add your trusted IPs to this list, and these IPs will be whitelisted and will not be blocked by fail2ban even if they perform a brute force attack on the server.

bantime is the time an IP will be blocked after making a specific amount of failed attempts to the server.

maxretry is the number of maximum failed attempts after which an IP is blocked by fail2ban for a specific amount of time.

findtime is the amount of time during which if a host makes maxretry failed attempts, it will be blocked.

After configuring the above parameters, now we will configure the service on which the above rules are going to apply. By default, Fail2ban has pre-defined filters for different services, so we do not need to enter any specific entries for services. We only enable or disable different services in the configuration file. Open /etc/fail2ban/jail.local file in your favourite editor.

[email protected]:~$ sudo nano /etc/fail2ban/jail.local

Find the [sshd] section in the file and enter the following parameters in the section.

[sshd]

enable = true

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 3

enabled defines whether this service is being protected by fail2ban or not. If enabled is true, then the service is being protected; otherwise, it is not being protected.

port defines service port.

filter refers to the configuration file fail2ban will use. By default it will use /etc/fail2ban/filter.d/sshd.conf file for ssh service.

logpath defines the path to logs, fail2ban will monitor to protect service from different attacks. For ssh service, authentication logs can be found at /var/log/auth.log, so fail2ban will monitor this log file and will update the firewall by detecting failed login attempts.

maxretry defines the number of failed login attempts before being blocked by the fail2ban.

After applying the above configuration for fail2ban, restart the service to save changes.

[email protected]:~$ sudo systemctl restart fail2ban.service

[email protected]:~$ sudo systemctl status fail2ban.service

Testing Fail2ban

We have configured fail2ban to protect our system against brute force attacks on ssh service. Now we will make failed login attempts on our system from another system to check whether fail2ban is working or not. After making some failed login attempts now, we will check fail2ban logs.

[email protected]:~$ cat /var/log/fail2ban.log

We can see that after failed login attempts, the IP has been blocked by fail2ban.

We can get a list of all the services for which fail2ban is enabled for by using the following command.

[email protected]:~$ sudo fail2ban-client status


The above figure shows that we have enabled fail2ban only for sshd service. We can get further information about the sshd service by specifying the service name in the above command.

[email protected]:~$ sudo fail2ban-client status sshd

Fail2ban automatically unban the banned IP address after bantime, but we can unban any IP at any time using the command line. This will give more control over fail2ban. Use the following command to unban the IP address.

[email protected]:~$ sudo fail2ban-client set sshd unbanip 192.168.43.35

If you try to unban an IP address that is not blocked by fail2ban, it will just tell you that the IP is not blocked.

[email protected]:~$ sudo fail2ban-client set sshd unbanip 192.168.43.35

Conclusion

For a system administrator or a security engineer, it is a big challenge to maintain the security of the servers. If your server is being protected by the password, not by public and private key pair, then your server is more vulnerable to brute force attackers. They can get into your system by applying different password combinations. Fail2ban is a tool that can restrict attackers from launching different kinds of attacks, including brute force attacks and DDoS attacks on your server. In this tutorial, we discussed how we could use Fail2ban to protect our server from different attacks. We can also use Fail2ban to protect other services such as apache, nginx, etc.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14