Fail2ban – Block unwanted attacks

23/01/2024 Categories: Logiciel, Réseau, Sécurité Tags: ,
source: Paul’s blog

Up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.

As i use a 3rd party repostories – EPEL (how to add repositories) i can just use yum to install it

yum install fail2ban

once installed i just needed to change the configuration to my liking, the config files can be found at « /etc/fail2ban »

first i edit « /etc/fail2ban/fail2ban.conf » and ensure the « logtarget » is set correctly

logtarget = /var/log/fail2ban.log

The default behaviour of fail2ban is configured in the file « /etc/fail2ban/jail.conf ». There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.

I explain some of the configuration here:

ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in « /etc/fail2ban/filter.d ».
logpath: The log file that fail2ban checks for failed login attempts.

so i edit « /etc/fail2ban/jail.conf » and add my ip to « ignoreip ».
then i just need to configure the jails i want to use, here’s my ssh jail

enabled  = true
filter   = sshd
action   = iptables-multiport[name=SSH, port="ssh, 4564"]
           sendmail-whois[name=SSH, dest=root,]
logpath  = /var/log/secure
maxretry = 3

Don’t forget to change the port to what ever port your ssh runs on and also set the « sender » and « dest » to your email.

I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.

start fail2ban

/etc/init.d/fail2ban start

now check « /var/log/fail2ban.log » and make sure there’s no errors.
you can also check the rules are in iptables

iptables -L

now as i said i use a couple of custom filters here’s how i did them.
Create the filter file « /etc/fail2ban/filter.d/dovecot-pop3imap.conf » and add

failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.*
ignoreregex =

note: the failregex may need changing to suit your system.

now add the following to « /etc/fail2ban/jail.conf »

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
	  sendmail-whois[name=dovecot-pop3imap, dest=root,]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

then just restart fail2ban

/etc/init.d/fail2ban restart

you can create all sorts of custom jails/filters just google for other ideas.


