fail2ban
fail2ban
I'm using fail2ban to block script kiddies. Here is one line what you will find in your auth.log
This description can help you how to install and configure fail2ban I will update this post with new infos.
Installation - Ubuntu / Debian
Installation FreeBSD
Configuration
Configuration Ubuntu / Devian
This configuration is for the sshd daemon. If a user fails to connect three times (maxretry = 3) within 24 hours (findtime = 24h) to login via ssh, he will get banned indefinitely (bantime = -1).
#
# SSH servers
#
[sshd]
enabled = true
filter = sshd
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
banaction = iptables-multiport
bantime = -1
maxretry = 3
findtime = 24h
Configuration FreeBSD
in /usr/local/etc/fail2ban/jail.d/bsd-sshd.conf
Slightly different configuration. Here I use a bantime of 24h (86400s)
[bsd-ssh-pf]
enabled = true
filter = bsd-sshd
port = ssh
logpath = /var/log/auth.log
findtime = 24h
maxretry = 3
bantime = 86400
Usage
List banned IPs
Via fail2ban-client
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| |- Total failed: 5
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 89.208.197.76 92.222.88.254
via iptables
sudo iptables --list --line-numbers --numeric
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain f2b-sshd (1 references)
num target prot opt source destination
1 REJECT all -- 92.222.88.254 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 89.208.197.76 0.0.0.0/0 reject-with icmp-port-unreachable
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
with 'pfctl' - FreeBSD
Ban and unban manually
Ban
Unban
Test the filter
I had some trouble with banning IPs. Therefore I've greped the IP and put it into a file. (The problem was not fail2ban but the firewall configuration ;-) )
Example with a positive test
And test it with
sudo fail2ban-regex /tmp/test.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /tmp/test.log
Use encoding : UTF-8
Results
=======
Failregex: 53 total
|- #) [# of hits] regular expression
| 8) [53] ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*(?: \[preauth\])?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [222] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 222 lines, 0 ignored, 53 matched, 169 missed
[processed in 1.53 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 169 lines
The Failregex: 53 total is the relevant line.
Example with a negative test
Here is an example with an IP that wasn't recognized by the filter
sudo fail2ban-regex /tmp/test1.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /tmp/test1.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 3 lines, 0 ignored, 0 matched, 3 missed
[processed in 0.12 sec]
|- Missed line(s):
| Apr 22 16:01:02 raspberrypi sshd[14285]: Received disconnect from 222.186.30.218 port 63194:11: [preauth]
| Apr 22 16:01:02 raspberrypi sshd[14285]: Disconnected from 222.186.30.218 port 63194 [preauth]