How to Install Fail2ban to Protect Against Brute Force Login Attacks

Requirements

Procedure

Launch an Alibaba Cloud ECS Instance

apt-get update -y

Install Apache and Fail2Ban

apt-get install apache2 fail2ban -y

Configure Fail2Ban

ls -l /etc/fail2ban
drwxr-xr-x 2 root root  4096 Nov  7 12:04 action.d
-rw-r--r-- 1 root root 2328 Aug 1 2015 fail2ban.conf
drwxr-xr-x 2 root root 4096 Aug 2 2015 fail2ban.d
drwxr-xr-x 3 root root 4096 Nov 7 12:04 filter.d
-rw-r--r-- 1 root root 18562 Aug 1 2015 jail.conf
drwxr-xr-x 2 root root 4096 Nov 7 12:04 jail.d
-rw-r--r-- 1 root root 1939 Aug 1 2015 paths-common.conf
-rw-r--r-- 1 root root 642 Aug 1 2015 paths-debian.conf
nano /etc/fail2ban/jail.local
##Block the remote host that is trying to request suspicious URLs.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to search for scripts on the website to execute.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to request malicious bot.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 192.168.43.193
action = iptables[name=HTTP, port=http, protocol=tcp]
##Block the failed login attempts on the SSH server.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
nano /etc/fail2ban/filter.d/http-get-dos.conf
# Fail2Ban configuration file 
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =
systemctl restart fail2ban
fail2ban-client status
Status
|- Number of jail: 7
`- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, ssh, sshd
iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-HTTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Test Fail2Ban

nikto -h 192.168.43.193 -C all
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.43.193
+ Target Hostname: 192.168.43.193
+ Target Port: 80
+ Start Time: 2018-11-08 10:51:54
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ ETag header found on server, fields: 0x2cf6 0x53f96e8a38fad
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
tail -f /var/log/fail2ban.log
2018-11-07 13:31:11,757 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,757 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,758 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,761 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,764 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,765 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,766 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,767 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
fail2ban-client status http-get-dos
Status for the jail: http-get-dos
|- Filter
| |- Currently failed: 2
| |- Total failed: 650
| `- File list: /var/log/apache2/access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
ssh root@192.168.43.193
root@192.168.43.193's password: 
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
ssh: connect to host 192.168.43.193 port 22: Connection refused
tail -f /var/log/fail2ban.log
2018-11-07 13:43:54,928 fail2ban.filter         [4225]: INFO    [ssh] Found 192.168.43.4
2018-11-07 13:43:55,657 fail2ban.filter [4225]: INFO [sshd] Found 192.168.43.4
2018-11-07 13:43:55,684 fail2ban.filter [4225]: INFO [ssh] Found 192.168.43.4
2018-11-07 13:43:55,944 fail2ban.actions [4225]: NOTICE [ssh] Ban 192.168.43.4
fail2ban-client status ssh
Status for the jail: ssh
|- Filter
| |- Currently failed: 0
| |- Total failed: 4
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
iptables -S
-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m tcp --dport 80 -j f2b-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-badbots
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-HTTP -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-HTTP -j RETURN
-A f2b-apache -j RETURN
-A f2b-apache-badbots -j RETURN
-A f2b-apache-noscript -j RETURN
-A f2b-apache-overflows -j RETURN
-A f2b-ssh -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-ssh -j RETURN
-A f2b-sshd -j RETURN
fail2ban-client set ssh unbanip 192.168.43.4
fail2ban-client set ssh banip 192.168.43.4

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store