Fail2Ban on Ubuntu - Keeping the Bad Guys Out

Categories: Linux

Fail2Ban is a well-known unix tool, with a long history. It is simple but very effective at improving the security of a server, and reducing unnecessary load.

It is a background service which periodically scans logfiles generated by other services on the same system (usually syslog-generated logs). Using service-specific regular expressions, it finds entries in the logfiles that indicate malicious access, and takes a configurable action. When the detected logmessage includes the IP address of the external system, then an action it can take is to communicate with the firewall software on the same host to block all access from that host for a configurable period of time. A (pattern, action) entry is called a “jail” in fail2ban.

If you’ve installed a service with a default password, it won’t help as the attacker may guess right the first time. However attempts to guess typical passwords for typical userids will quickly get detected and the remote system blocked. In particular, any server on the internet with sshd running will experience large numbers of login attempts with user=root and a password. Of course you’ve configured sshd to not allow direct login as root, right? It is nevertheless nice to block these.

Fail2ban is a cross-unix tool, coming initially from the sysv/bsd/etc world. It is therefore just a little clumsy in the Linux world, but not too bad.

Installing is just a simple sudo apt-get install fail2ban which puts configuration files in /etc/fail2ban. Ubuntu inherits the Debian packaging for this tool, and Debian have patched it to follow some of the usual Debian conventions, meaning the instructions on the fail2ban website therefore do not quite match. The primary configuration file (which should not be modified but is useful to read) is at /etc/fail2ban/jail.conf. Fail2ban expects system-specific configuration files to have suffix “.local” (eg jail.local); under Debian/Ubuntu they can also be defined under /etc/fail2ban/jail.d/.

By default, rules are configured to secure access to the sshd service; see /etc/fail2ban/jail.d/defaults-debian.conf.

There are definitions for postfix, dovecot, and many other service-types; you just need a local configuration file that enables checking for these services. Adding the following in /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/mysettings.conf will enable them:

[postfix]
enable=true
logpath=/var/log/mail.log

[dovecot]
enable=true
logpath=/var/log/mail.log

The logpath entry is needed because fail2ban unfortunately defaults to /var/log/mail.warn which does not exist - at least on my machine.

The default time for which external servers are banned is only 10 minutes (600 seconds). That is enough to seriously disrupt brute-force-password-guessing attacks, and perhaps some denial-of-service attacks. However I prefer to set it higher, and thus also include in the above file:

[DEFAULT]
bantime=7200
findtime=7200
maxretry=5

which bans systems for 2 hours. Banning permanently could be a serious problem if you forget your password, but two hours is probably not a disaster.

For a more extreme approach, see Blocking Connections by Country.