Securing and Monitoring SSH with Fail2ban (Intrusion Prevention) System on Linux

Introduction

SSH, also known as Secure Socket Shell and is UNIX-based command-line interface (CLI) and protocol for securely accessing remote machine/device over unsecured network as it uses encrypted pathway. It use default port 22 to connect to the remote machine/device. Learn more.

Even SSH being secure for remote access over unsecured network, it is still exposed to external attacks. Brute-force break-in attempts are quite frequent against an SSH server and other password protected internet-services like ftp, pop, http and so on.  Fail2ban attempts to alleviate these issues by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manner.

Fail2ban provides following main features:

  • Client/Server architecture.
  • Multi-threaded.
  • Highly configurable.
  • Gamin/Pyinotify support.
  • Parses log files and looks for given patterns.
  • Executes commands when a pattern has been detected for the same IP address for more than X times. X can be changed.
  • After a given amount of time, executes another command in order to unban the IP address.
  • Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
  • Handles log files rotation.
  • Can handle multiple service (sshd, apache, vsftpd, etc).
  • Resolves DNS hostname to IP address (use with caution, disable by usedns = no).

(Source: http://www.fail2ban.org/wiki/index.php/Features)

Requirements

We will use Fail2ban with iptables to secure the ssh. You can use other firewall sofware like shorewall, tcp-wrappers. We will also require one working mail command to send alert (in my case mailx).

Installation

Let's begin with installation. I have used Fail2ban with CentOS 7, those who are not familar with CentOS you can refer following link for other linux distribution:

http://www.tecmint.com/install-fail2ban-on-rhel-centos-fedora/

Fail2ban is not available under linux systems repository, it is packaged for the EPEL (Extra Packages for Enterprise Linux) project. Before installing Fail2ban you will need to install EPEL release package.

yum install epel-release -y

Note: without installing EPEL you cannot install Fail2ban package!!!

I am assuming that "iptables" is up and running. If you haven't  done yet, please follow this link (iptables installation) for iptable installation before you being with file2ban installation.

After installing, "EPEL", start installing Fail2ban.

yum install fail2ban -y

Once the installation has finished, enable fail2ban service.

systemctl enable fail2ban

Start the file2ban service.

systemctl start fail2ban

Configuration

All the configuration files will be located in /etc/fail2ban. The structure of files looks similar to following:

/etc/fail2ban/
├── action.d
│   ├── dummy.conf
│   ├── hostsdeny.conf
│   ├── iptables.conf
│   ├── mail-whois.conf
│   ├── mail.conf
│   └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│   ├── apache-auth.conf
│   ├── apache-noscript.conf
│   ├── couriersmtp.conf
│   ├── postfix.conf
│   ├── proftpd.conf
│   ├── qmail.conf
│   ├── sasl.conf
│   ├── sshd.conf
│   └── vsftpd.conf
├── jail.conf
└── jail.local

Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. The .local file doesn't exists by default, you will have to create a file and those settings that you wish to override should be stored in .local file. All modification of setings should be done in .local not in .conf file. This avoids merging problem when upgrading.

Detailed information about installation files can be found here.

General Settings

The file fail2ban.conf contains general settings for the fail2ban-server daemon, such as the logging level and target. You can also specify here the socket path used for communication between the client and the server.

jail.conf/jail.local

The most important file is probably jail.conf, which contains the declaration of your jails. By default, some sections are inserted as templates. You must enable the sections of interest and adapt to your local configuration. Here is an example of my jail.local

[DEFAULT]

ignoreip = 127.0.0.1/8 10.20.98.149
# Ban hosts for 10 minutes:
bantime = 600
findtime = 600
maxretry = 3
destemail = me@gmail.com
sendername = fail2ban Alerts
mta = sendmail

#By default sendmail is disabled by fail2ban. Enabled with parameter (action_mwl)s.
action = %(action_mwl)s

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
logpath = /var/log/secure
logtarget = /var/log/fail2ban.log

Let's check what some of the parameter actually means:

  • gnoreip: This parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.
  • bantime: This parameter sets the length of a ban, in seconds. The default is 600 seconds, or 10 minutes.
  • findtime: This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.
  • maxretry: This sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.
  • destemail: This is the address that will be sent notification mail if configured your action to mail alerts.
  • sendername: This will be used in the email from field for generated notification emails
  • banaction: This sets the action that will be used when the threshold is reached. There is actually the name of a file located in /etc/fail2ban/action.d/ called iptables-multiport.conf. This handles the actual iptables manipulation to ban an IP address. We will look at this later.
  • mta: This is the mail transfer agent that will be used to send notification emails.
  • enabled: simply means that the ssh sever is enabled for monitoring by fail2ban.
  • action:
  • logpath: refers to the log location that fail2ban tracks.
  • logtarget:
(Visited 88 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *