Archive for May, 2009

Fail2ban – Security tool

May 23rd, 2009 Gael No comments

A great tool to enhance your firewalling.

You probably all have a firewall such as IPTables on your server in order to restrict the access to some services like SSH, FTP or HTTP.

But what about the threat like scripts trying to enter your FTP with dumb login and password in order to access your server?

Would not it be nice to have a tool that read the secure log file, detect the failed attempts then adds a rule to your firewall for 5 minutes in order to ban all the traffic from this source?

This tool exists and is called Fail2Ban!

How Fail2Ban work?

Every time anyone tries to access your server through services like SSH or FTP, an entry is logged in the log files

In the background Fail2Ban is monitoring this log file and when it detects too many password failures, it adds a DROP rule in IPTables for a defined amount of time to reject that IP address. After the 10 minutes, the rule is removed from the firewall automatically. And on top of that, it sends an email to the operation team.

Last but not least, as the script that launched the attack cannot access the service on your server as it is banned, it moves to another server. Basically an easier target to attack.

This tool is written in python, by a French guy:

Installation and configuration

The installation is really simple as Fail2Ban is part of the rpmforge repository.

yum install fail2ban

Then, you need to update the configuration The configuration file is located here: /etc/fail2ban/jail.conf

In this file, you will find several settings, the most important options are:

ignoreip: you have to specify the IP from your network that fail2ban will never ban as they are part of the trusted network.

bantime: how long you want the attacker to be banned

Then you will define the rule that inspect the log file.


enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
# logpath  = /var/log/messages
logpath = /var/log/secure
maxretry = 5

Some comments about those configuration options.

  • ssh-iptables defines the beginning of a configuration block. The rule will be named: fail2ban-SSH
  • enabled defines if the rule will be loaded when Fail2Ban starts
  • filter: that is the search filter for the secure log file
  • action: it defines the action to take if a condition is true.
  • logpath: it defines the log file to read in order to ban attackers
  • maxretry: it defines the number of time an attacker fails to enter the system.

Once you are done with the configuration, you can start the service

/etc/init.d/iptables start

And add it to the service which start when the server boots.

chkconfig fail2ban on

Now you are all done, you have a server configured to block SSH attempts and it will survive a reboot as it will start automatically. I am really interesting in reading your feed back about the article. So do not hesitate to leave a comment.

Categories: IT, Work Tags: , ,