You probably all have a firewall such as IPTables on your server in order to restrict the access to some services like SSH, FTP or HTTP.

But what about the threat like scripts trying to enter your FTP with dumb login and password in order to access your server?

Would not it be nice to have a tool that read the secure log file, detect the failed attempts then adds a rule to your firewall for 5 minutes in order to ban all the traffic from this source?

This tool exists and is called Fail2Ban!

How Fail2Ban work?

Every time anyone tries to access your server through services like SSH or FTP, an entry is logged in the log files

In the background Fail2Ban is monitoring this log file and when it detects too many password failures, it adds a DROP rule in IPTables for a defined amount of time to reject that IP address. After the 10 minutes, the rule is removed from the firewall automatically. And on top of that, it sends an email to the operation team.

Last but not least, as the script that launched the attack cannot access the service on your server as it is banned, it moves to another server. Basically an easier target to attack.

This tool is written in python, by a French guy: http://www.fail2ban.org

Installation and configuration

The installation is really simple as Fail2Ban is part of the rpmforge repository.

yum install fail2ban

Then, you need to update the configuration The configuration file is located here: /etc/fail2ban/jail.conf

In this file, you will find several settings, the most important options are:

ignoreip: you have to specify the IP from your network that fail2ban will never ban as they are part of the trusted network.

bantime: how long you want the attacker to be banned

Then you will define the rule that inspect the log file.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=ops@my.company.com, sender=fail2ban-my.server@my.company.com]
# logpath  = /var/log/messages
logpath = /var/log/secure
maxretry = 5

Some comments about those configuration options.

• ssh-iptables defines the beginning of a configuration block. The rule will be named: fail2ban-SSH
• enabled defines if the rule will be loaded when Fail2Ban starts
• filter: that is the search filter for the secure log file
• action: it defines the action to take if a condition is true.
• logpath: it defines the log file to read in order to ban attackers
• maxretry: it defines the number of time an attacker fails to enter the system.

Once you are done with the configuration, you can start the service

/etc/init.d/iptables start

And add it to the service which start when the server boots.

chkconfig fail2ban on

Now you are all done, you have a server configured to block SSH attempts and it will survive a reboot as it will start automatically. I am really interesting in reading your feed back about the article. So do not hesitate to leave a comment.

First of all you have to look at the problem on md2:

[root@bacchus ~]# cat /proc/mdstat
Personalities : [raid1] [raid6] [raid5] [raid4]
md0 : active raid1 hdb1[1] hda1[0]
      152512 blocks [2/2] [UU]
md2 : active raid5 sda1[0] sdb1[1]
      625137152 blocks level 5, 64k chunk, algorithm 2 [3/2] [UU_]
md1 : active raid1 hdb2[1] hda2[0]
      117065536 blocks [2/2] [UU]

The faulty device was located on hdc, and on the partition hdc1. So first of all, you have to recreate the partition with the Linux raid autodetect type and write the changes to this partition:

[root@bacchus ~]# fdisk /dev/sdc
Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-38913, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-38913, default 38913):
Using default value 38913

Command (m for help): p

Disk /dev/sdc: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1       38913   312568641   83  Linux

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): fd
Changed system type of partition 1 to fd (Linux raid autodetect)

Command (m for help): p

Disk /dev/sdc: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1       38913   312568641   fd  Linux raid autodetect
Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[root@bacchus ~]#

Once the partition is created, you have to add the partition to the RAID array with the following command line:

mdadm /dev/md2 -a /dev/sdc1

Once this is done, you just have to monitor the rebuild from time to time with this command:

[gael@bacchus ~]$ cat /proc/mdstat
Personalities : [raid1] [raid6] [raid5] [raid4]
md0 : active raid1 hdb1[1] hda1[0]
      152512 blocks [2/2] [UU]

md2 : active raid5 sdc1[3] sda1[0] sdb1[1]
      625137152 blocks level 5, 64k chunk, algorithm 2 [3/2] [UU_]
      [========>............]  recovery = 43.9% (137368104/312568576) finish=85.7min speed=34061K/sec

md1 : active raid1 hdb2[1] hda2[0]
      117065536 blocks [2/2] [UU]

unused devices:

Et voila!, now you just have to wait for you RAID partition to be rebuilt and then you will be an happy bunny