Tags Archives: security audit

How To Install fail2ban

fail2ban install notes

 

 

apt update

apt install fail2ban

 

Once installation is completed, the fail2ban service will start automatically. Verify with:

 

root@gemini:/home/kevin# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-06-03 11:34:32 BST; 4min 7s ago
Docs: man:fail2ban(1)
Main PID: 543825 (f2b/server)
Tasks: 5 (limit: 2280)
Memory: 14.9M
CGroup: /system.slice/fail2ban.service
└─543825 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jun 03 11:34:32 gemini systemd[1]: Starting Fail2Ban Service...
Jun 03 11:34:32 gemini systemd[1]: Started Fail2Ban Service.
Jun 03 11:34:32 gemini fail2ban-server[543825]: Server ready
root@gemini:/home/kevin#

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.

 

fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

 

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local

 

Easiest way to configure fail2ban is to copy the jail.conf to jail.local and modify the .local file.

 

You can also build a .local configuration file from scratch.

The .local file doesn’t have to include all settings from the corresponding .conf file, only the settings you want to override.

 

You can always refer /etc/fail2ban/jail.conf to check the default values of the standard services supported by fail2ban.

 

Create a .local config file from the default jail.conf file:

 

cp /etc/fail2ban/jail.{conf,local}

 

root@gemini:/home/kevin# cp /etc/fail2ban/jail.{conf,local}
root@gemini:/home/kevin# nano /etc/fail2ban/jail.local

 

config as follows:

 

root@gemini:/etc/fail2ban# cat fail2ban.local 
# Basic Configuration
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log



root@gemini:/etc/fail2ban#






root@gemini:/etc/fail2ban# rm jail.local
root@gemini:/etc/fail2ban# nano jail.local
root@gemini:/etc/fail2ban#
config as follows:


root@gemini:/etc/fail2ban# cat jail.local
# Basic Configuration
[DEFAULT]
bantime = 1800
findtime = 600
maxretry = 3
backend = systemd
root@gemini:/etc/fail2ban#

then restart:

root@gemini:/etc/fail2ban# 
root@gemini:/etc/fail2ban# systemctl restart fail2ban
root@gemini:/etc/fail2ban# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-06-03 11:46:52 BST; 4s ago
Docs: man:fail2ban(1)
Process: 545164 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 545178 (f2b/server)
Tasks: 5 (limit: 2280)
Memory: 76.0M
CGroup: /system.slice/fail2ban.service
└─545178 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jun 03 11:46:52 gemini systemd[1]: Starting Fail2Ban Service...
Jun 03 11:46:52 gemini systemd[1]: Started Fail2Ban Service.
Jun 03 11:46:52 gemini fail2ban-server[545178]: Server ready
root@gemini:/etc/fail2ban#

 

To see which addresses fail2ban (f2b) has blocked or rejected you can check the fail2ban log:

tail -f /var/log/fail2ban.log

root@gemini:~# tail -f /var/log/fail2ban.log
2021-06-03 11:50:48,748 fail2ban.actions [545178]: NOTICE [sshd] Ban 106.12.75.10
2021-06-03 11:50:49,885 fail2ban.filter [545178]: INFO [sshd] Found 106.12.75.10 - 2021-06-03 11:50:49
2021-06-03 11:50:49,886 fail2ban.filter [545178]: INFO [sshd] Found 81.69.192.217 - 2021-06-03 11:50:49
2021-06-03 11:50:59,385 fail2ban.filter [545178]: INFO [sshd] Found 113.31.125.11 - 2021-06-03 11:50:58
2021-06-03 11:50:59,390 fail2ban.actions [545178]: NOTICE [sshd] Ban 113.31.125.11
2021-06-03 11:51:01,592 fail2ban.filter [545178]: INFO [sshd] Found 113.31.125.11 - 2021-06-03 11:51:01
2021-06-03 11:51:47,135 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:46
2021-06-03 11:51:50,385 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:49
2021-06-03 11:51:52,590 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:52
2021-06-03 11:51:52,682 fail2ban.actions [545178]: NOTICE [sshd] Ban 62.14.232.3


alternatively use iptables -L for the current state of the firewall:

long list follows!

only selected extracts displayed here for security reasons…

root@gemini:/etc/fail2ban# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination 
.... ... ... 
Chain FORWARD (policy DROP)
target prot opt source destination 
ufw-before-logging-forward all -- anywhere anywhere 
anywhere 
... .... ...
Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
ufw-before-logging-output all -- anywhere anywhere 
... ... ...

Chain f2b-sshd (1 references)
target prot opt source destination 
REJECT all -- 68.183.84.221 anywhere reject-with icmp-port-unreachable
REJECT all -- 139.59.39.185 anywhere reject-with icmp-port-unreachable
REJECT all -- 193.122.111.58 anywhere reject-with icmp-port-unreachable
REJECT all -- produccion.nitrowin.com-1508949338069-2gb-nyc1-01 anywhere reject-with icmp-port-unreachable
REJECT all -- 139.155.255.231 anywhere reject-with icmp-port-unreachable
REJECT all -- 49.232.221.113 anywhere reject-with icmp-port-unreachable
REJECT all -- 129.204.202.109 anywhere reject-with icmp-port-unreachable
REJECT all -- 187.114.200.35.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable
REJECT all -- no-data anywhere reject-with icmp-port-unreachable
REJECT all -- 102.36.164.141 anywhere reject-with icmp-port-unreachable
REJECT all -- 120.48.29.61 anywhere reject-with icmp-port-unreachable
REJECT all -- 161.35.235.27 anywhere reject-with icmp-port-unreachable
REJECT all -- 139.59.26.6 anywhere reject-with icmp-port-unreachable
REJECT all -- 129.28.169.194 anywhere reject-with icmp-port-unreachable
REJECT all -- 40.87.131.147 anywhere reject-with icmp-port-unreachable
REJECT all -- 213.230.107.202 anywhere reject-with icmp-port-unreachable
RETURN destination 


... other tables not displayed here for security reasons 
... ... ...

 

 

 

Continue Reading