"Fail2ban " - a local service which monitors log files of running programs, and on the basis of various conditions blocks by IP the violators found.
Consider SSH protection.
Installing Fail2ban
CentOS:
yum install fail2ban
Ubuntu / Debian:
apt-get install fail2ban
Configuration Fail2ban
The program has two main configuration files:
/etc/fail2ban/fail2ban.conf - contains settings for starting the Fail2ban process.
/etc/fail2ban/jail.conf - contains settings for protecting specific services, including sshd.
The jail.conf file is divided into sections called "isolators" (jails); each section is responsible for a specific service and attack type:
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
banaction = iptables-multiport
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Parameters from section [DEFAULT] apply to all other sections, unless overridden.
Section [ssh] is responsible for SSH protection against repeated unsuccessful authorization attempts on SSH server, simply put, "brute-force".
More details on each of the main parameters of jail.conf file:
- "ignoreip " - IP-addresses that should not be blocked. You can specify a list of IP addresses separated by spaces, subnet mask, or DNS server name.
- "bantime " - ban time in seconds, after which the IP-address is removed from the list of banned.
- "maxretry " - number of suspicious matches after which the rule is applied. In [ssh] context, this is the number of unsuccessful login attempts after which the rule is blocked.
- "enabled " - true indicates that this jail is active, false disables the isolator action.
- "port " - indicates on which port or ports the target service is running. Standard port of SSH-server - 22, or its alphabetical name - ssh.
- "filter " - name of the filter with regular expressions used to search for "suspicious matches" in the service logs. The file /etc/fail2ban/filter.d/sshd.conf corresponds to sshd filter.
- "logpath " is the path to the log file which Fail2ban will process with the previously specified filter. All history of successful and unsuccessful logins, including SSH logins, is written to log file /var/log/auth.log by default.
Advice for setting up Fail2ban
It's not recommended to leave ignoreip with default value 127.0.0.1/8, it creates an obvious threat on multi-user systems - if a malicious user can access at least one shell account, he will be able to freely execute a bruteforce program to attack root or other users directly from the same server.
New option findtime - defines the duration of the interval in seconds, during which the event should be repeated a certain number of times, after which the sanctions will be effective. If this option is not specifically defined, the default value will be set to 600 (10 minutes). The problem is that botnets participating in "slow bruteforce" are adept at cheating the default value. In other words, if maxretry is 6, the attacker can check 5 passwords, then wait 10 minutes, check 5 more passwords, do it again and again, and his IP will not be banned. In general, this is not a threat, but it's still better to ban such bots.
Before you make any changes following the recommendations, please note that you should not edit the main configuration file jail.conf, for this purpose there are files with ** .local* extension, which are automatically connected and have the highest priority.
nano /etc/fail2ban/jail.local
[DEFAULT]
## Permanent IP address.
## If you do not override ignoreip here,
## it's worth commenting out this parameter in the jail.conf.
ignoreip = 57.66.158.131
[ssh]
## if within 1 hour:
findtime = 3600
## 6 unsuccessful login attempts are made:
maxretry = 6
## the IP will be banned for 24 hours:
## bantime = 86400
Restarting Fail2ban:*
service fail2ban restart