Here is Guide With Steps on Installing Fail2ban on Ubuntu 14.04 on Server Running Nginx on HP Cloud. It adds a layer of security to SSH. HP Cloud has key based login and excellent virtual router where we can control the ingress-egress policies. We have shown before how to add port knocking to hide the SSH daemon. Fail2ban is another way to add security. This guide is intended for the advanced users.
Installing Fail2ban on Ubuntu 14.04 : Preface
Fail2ban is an intrusion prevention software to protect the servers from brute-force attacks. Fail2ban is written in the Python. Fail2ban monitors the log files for selected entries and run scripts. Most commonly this is used to block selected IP addresses which may breach the security. It can ban any IP that makes too many login attempts or performs any other action within a time frame defined by the sysadmin. The standard configuration ships with filters for Apache, Lighttpd etc. Filters are defined by Python regexes.
Fail2ban automatically alter the iptables firewall configuration, this is how the server to respond to illegitimate attempts in an automated way. We talked about jailed shell before.
---
Installing Fail2ban on Ubuntu 14.04 : Nginx, HP Cloud
We will suggest to take a snapshot of the running server if it is a live website as described in Disaster Mananagement using OpenStack Raksha and Floating IP.
First run update and then install Fail2ban :
1 | apt update -y && apt-get install fail2ban |
You can run cat on this file :
1 | cat /etc/fail2ban/jail.conf |
to check the contents. We need to copy it to /etc/fail2ban/jail.local and edit it :
1 2 | cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local |
Find the section named [DEFAULT] and localhost should not be banned :
1 | ignoreip = 127.0.0.1/8 |
The [DEFAULT] section, excluding the commented out lines looks like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 findtime = 600 maxretry = 3 backend = auto usedns = warn destemail = root@localhost sendername = Fail2Ban banaction = iptables-multiport mta = sendmail protocol = tcp chain = INPUT action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] action = %(action_)s |
There are three parameters you must about – bantime, maxretry and findtime.
bantime parameter sets the length of time that a client will be banned failing to authenticate. By default, this is set to 600 seconds. maxretry sets the number of tries a client can do within timeframe defined by findtime before getting banned. By default, fail2ban service will ban client attempts to log in 3 times within a 10 minute timeframe.
1 2 3 4 5 6 | ... bantime = 600 ... findtime = 600 maxretry = 3 ... |
There will be a section named [SSH]. It must be enabled :
1 | enabled = true |
Before going to Nginx related settings, we are mentioning once – /etc/fail2ban/filter.d directory keeps the filters. There should be section named [nginx-http-auth] in /etc/fail2ban/jail.local, it should look like this :
1 2 3 4 5 6 | [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https log path = /var/log/nginx/error.log |
where /var/log/nginx/error.log is the real log of Nginx. To force the automation at firewall, we need to install :
1 | apt-get install iptables-persistent |
We are providing a set of commands for basic security :
1 2 3 4 5 | sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP |
Stop the service and start it :
1 | service fail2ban stop && service fail2ban start |
check the iptables rules :
1 | sudo iptables -S |
You can check this file by running cat :
1 | cat /etc/fail2ban/action.d/iptables-multiport.conf |
It is beyond our scope to highly customize Fail2ban for your need, you should look at the official website and read the manual of Fail2ban. For example, we have not talked about :
Hello! I Want To Use Fail2ban With ufw
As Fail2ban uses iptables and inserts rules first in the INPUT chain, if there is ufw running, it might not get integrated. To fully integrate Fail2ban to use ufw rather then iptables you will need to edit :
1 | nano /etc/fail2ban/jail.conf |
the [ssh] section should look like this :
1 2 3 4 5 6 7 | [ssh] enabled = true banaction = ufw-ssh port = 2992 filter = sshd logpath = /var/log/auth.log maxretry = 3 |
then :
1 | nano /etc/fail2ban/action.d/ufw-ssh.conf |
1 2 3 4 5 6 | [Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from <ip> to any app OpenSSH actionunban = ufw delete deny from <ip> to any app OpenSSH |
