How to Install Fail2ban to Protect Against Brute Force Login Attacks

Requirements

  • A newly created ECS instance installed with Ubuntu 16.04.
  • The static IP address 192.168.43.193 is set up for your instance.
  • A root password is set up for your instance.

Procedure

To install and configure Fail2Ban to protect against brute force login attacks, complete the following steps:

Launch an Alibaba Cloud ECS Instance

First, log on to your Alibaba Cloud ECS Console. Then, create a new ECS instance with Ubuntu 16.04 as the operating system and with at least 2GB RAM. Connect to your ECS instance and log on as the root user.

apt-get update -y

Install Apache and Fail2Ban

First, you will need to install Apache web server and Fail2Ban to your server. You can install it by running the following command:

apt-get install apache2 fail2ban -y

Configure Fail2Ban

By default, all the configuration files of Fail2Ban are located inside /etc/fail2ban/ directory. You can list all of them with the following command:

ls -l /etc/fail2ban
drwxr-xr-x 2 root root  4096 Nov  7 12:04 action.d
-rw-r--r-- 1 root root 2328 Aug 1 2015 fail2ban.conf
drwxr-xr-x 2 root root 4096 Aug 2 2015 fail2ban.d
drwxr-xr-x 3 root root 4096 Nov 7 12:04 filter.d
-rw-r--r-- 1 root root 18562 Aug 1 2015 jail.conf
drwxr-xr-x 2 root root 4096 Nov 7 12:04 jail.d
-rw-r--r-- 1 root root 1939 Aug 1 2015 paths-common.conf
-rw-r--r-- 1 root root 642 Aug 1 2015 paths-debian.conf
nano /etc/fail2ban/jail.local
##Block the remote host that is trying to request suspicious URLs.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to search for scripts on the website to execute.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Block the remote host that is trying to request malicious bot.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
##Stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 192.168.43.193
action = iptables[name=HTTP, port=http, protocol=tcp]
##Block the failed login attempts on the SSH server.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
bantime = 300
ignoreip = 192.168.43.193
nano /etc/fail2ban/filter.d/http-get-dos.conf
# Fail2Ban configuration file 
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =
systemctl restart fail2ban
fail2ban-client status
Status
|- Number of jail: 7
`- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, ssh, sshd
iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-HTTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Test Fail2Ban

Fail2Ban is now installed and configured. It’s time to test whether it is working or not. Now, go to the client machine and perform DDOS attack against Fail2Ban server with the following command:

nikto -h 192.168.43.193 -C all
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.43.193
+ Target Hostname: 192.168.43.193
+ Target Port: 80
+ Start Time: 2018-11-08 10:51:54
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ ETag header found on server, fields: 0x2cf6 0x53f96e8a38fad
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
tail -f /var/log/fail2ban.log
2018-11-07 13:31:11,757 fail2ban.filter         [3608]: INFO    [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,757 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,758 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,761 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,763 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,764 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,765 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,766 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
2018-11-07 13:31:11,767 fail2ban.filter [3608]: INFO [http-get-dos] Found 192.168.43.4
fail2ban-client status http-get-dos
Status for the jail: http-get-dos
|- Filter
| |- Currently failed: 2
| |- Total failed: 650
| `- File list: /var/log/apache2/access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
ssh root@192.168.43.193
root@192.168.43.193's password: 
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
Permission denied, please try again.
root@192.168.43.193's password:
ssh: connect to host 192.168.43.193 port 22: Connection refused
tail -f /var/log/fail2ban.log
2018-11-07 13:43:54,928 fail2ban.filter         [4225]: INFO    [ssh] Found 192.168.43.4
2018-11-07 13:43:55,657 fail2ban.filter [4225]: INFO [sshd] Found 192.168.43.4
2018-11-07 13:43:55,684 fail2ban.filter [4225]: INFO [ssh] Found 192.168.43.4
2018-11-07 13:43:55,944 fail2ban.actions [4225]: NOTICE [ssh] Ban 192.168.43.4
fail2ban-client status ssh
Status for the jail: ssh
|- Filter
| |- Currently failed: 0
| |- Total failed: 4
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.43.4
iptables -S
-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m tcp --dport 80 -j f2b-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-badbots
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-HTTP -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-HTTP -j RETURN
-A f2b-apache -j RETURN
-A f2b-apache-badbots -j RETURN
-A f2b-apache-noscript -j RETURN
-A f2b-apache-overflows -j RETURN
-A f2b-ssh -s 192.168.43.4/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-ssh -j RETURN
-A f2b-sshd -j RETURN
fail2ban-client set ssh unbanip 192.168.43.4
fail2ban-client set ssh banip 192.168.43.4

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

4.97K Followers

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com