Protect your Server with Fail2Ban

Even if it’s just a tiny computer – as soon as he hangs on the Internet, it is at risk and may be subject to attacks.

To avoid that you would have look through every log file, out from which IP the attack ran out and then lock this IP by hand using iptables as beschriben in this post Reduce Spam in WordPress by blocking IP-Addresses with iptables

An often time consuming but definitely extremely annoying task. However, there is a program that exactly does that for you: Fail2Ban ( Fail2Ban Homepage, Fail2Ban on Wikipedia )

A really great tool which monitores log files that are created by the individual services anyway, using Regular Expressions (RegEx) for violations defined in rules and blocks the corresponding IP for a certain period by creating a new rule for IPTables.

As simple as it may sound, it’s awesome!

And the setup is quite simple, too.

To install the program just run

apt-get install fail2ban

To avoid the loss of your defined rules after an update, first copy the file jail.conf to jail.local with

cd /etc/fail2ban
cp jail.conf jail.local

Fail2ban now runs with the file jail.local.

The file jail.local is divided in three sections: the default values, the seup of actions and the monitoring rules – here they are called jails.

The default values and the actions normally can be left untouched.

For many services there are already predefined jails such as apache or ssh .. they only need to be enabled.

A jail looks something like this

[apache]

enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 3
bantime = 43200
findtime = 43200
  • First comes the name of the service/rule [apache]
  • „enabled“ is that what it means
  • „port“ defines the monitored ports
  • „filter“ defines the violations to be looked for. They are fefined as RegEx in the file /etc/fail2ban/filter.d/[filter-name].conf
  • „logpath“ defines the log-file to be monitored
  • „maxretry“ limits the retrys of an violation
  • „bantime“ defines the time, that an IP is blocked. It is set in seconds. If an IP should be blocked for ever, set this value to -1
  • „find time“ specifies the period in which an IP address has to break a rule, before it is blocked

Because the filters are defined in separate files, fail2ban is so flexible that it can be easily expanded with own rules – that is assuming you get along with regular expressions ..:-)

Unfortunately there are no predefined rules for NginX in that file, but thanks to Sergej Müller there are also rules for Nginx.

They are publischen on GitHub and can be downloaded here.

After unpacking the file just copy the entries in the jail.local file to your jail.local file and copy the files in the folder filter.d to your /etc/fail2ban/filter.d folder on your server.

Now take a look, that the configurations of your virtual servers defined for nginx are setup that way, that they produce the right log files.
The definitions for log-files should look something like this:

server {

    listen   80;
    server_name example.com;

    access_log   /var/log/nginx/access.example.com.log;
    error_log    /var/log/nginx/error.example.com.log;

    [ .... ]

Then start the service with

/etc/init.d/fail2ban restart

and if everything went right you should see something like that in your fail2ban log-file:

less /var/log/fail2ban.log

.
.
.
2015-02-08 23:22:18,440 fail2ban.jail   : INFO   Jail 'ssh' started
2015-02-08 23:22:18,484 fail2ban.jail   : INFO   Jail 'nginx-noscript' started
2015-02-08 23:22:18,556 fail2ban.jail   : INFO   Jail 'nginx-badrequests' started
2015-02-08 23:22:18,590 fail2ban.jail   : INFO   Jail 'nginx-badbots' started

Now fail2ban is working in the background and monitors your log-files for violations and from then on your little server is a little bit more protected.
And that even without needing much recourses.

4 Gedanken zu “Protect your Server with Fail2Ban

Schreibe einen Kommentar