Mukund-pondkule-6a11@uni-paderborn.de at 17:57, 9 December 2020

2020-12-09T17:57:36Z

Robert-schade-e757@uni-paderborn.de at 15:40, 2 November 2020

2020-11-02T15:40:58Z

Robert-schade-e757@uni-paderborn.de at 15:39, 2 November 2020

2020-11-02T15:39:56Z

Robert-schade-e757@uni-paderborn.de at 14:16, 2 November 2020

2020-11-02T14:16:46Z

Robert-schade-e757@uni-paderborn.de: Author Martin Errenst

2020-10-30T18:20:25Z

Author Martin Errenst

New page

[[Category:HPC-Admin]]
[[Category:HPC.NRW-Best-Practices]]

== Fail2ban: Stop Brute-Force Attacks on Exposed Services ==

Fail2ban monitors log files of various services to block individual IPs after too many failed login attempts.

It is transparent to the user, as long as the correct credentials are used to log in. With wrong credentials and multiple login attempts, the users IP will be blocked for a certain time. This time period may increase every time when this IP is blocked.

An administrator has to configure Fail2ban for every exposed service. After initial configuration, the service works autonomously. The Fail2ban service can be used to (un-)ban IPs manually.

How Fail2ban works:

* Parse log files for password/login failure reports
* Define ''Jails'':
** A Jail consists of ''Filters'' and ''Actions''
** Can be created for every network-facing process
** Check <code>man jail.conf</code> for more details
* ''Filters'':
** Python regex in <code>/etc/fail2ban/filter.d</code>
** Defines how to detect authentication failures
* ''Action'':
** Usually (un-)banning via <code>/etc/hosts.deny</code>, firewallcmd, iptables, pfsense etc.
** Can execute arbitrary code (everything python scriptable)
** Stored in <code>/etc/fail2ban/action.d</code>
* Defaults for apache, sshd, lighttpd, vsftpd, qmail, postfix, courier, …
* General config in <code>/etc/fail2ban/fail2ban.conf</code>
** Contains typical ban times
** Fail2ban logging level & target
** Check <code>man fail2ban</code> for more details
* Recommendations:
** keep <code>*.conf</code> files unchanged and add custom modifications in <code>*.local</code> files (parsed after .conf files), e.g.:
*** <code>fail2ban.d/01_custom_log.conf</code>
*** <code>jail.d/01_enable.conf</code>
*** <code>jail.d/02_custom_port.conf</code>

== Challenges / Problems ==

Be aware of what Fail2ban doesn’t protect against:
* Distributed denial of service attacks
** IPs are only banned after multiple failed attempts per IP
* Cannot eliminate risk of weak authentication
** Unchanged default passwords and easy to guess phrases are still more likely to be breached
* Local users with write access to logs can block IPs
** '''Grant access accordingly'''

== Installation ==

Just go through your package manager. For example on CentOS7: <code>yum install fail2ban</code>

== Example ==

Let's activate the sshd jail that ships with Fail2ban:

<source lang="bash"># service fail2ban start
Starting fail2ban: [ OK ]
# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
# vim /etc/fail2ban/jail.conf</source>
Enable the sshd jail:

<pre>[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s</pre>
<code>sshd_log</code> (here <code>/var/log/auth.log</code>) and <code>sshd_backend</code> (here <code>auto</code>) are defined in <code>/etc/fail2ban/paths-common.conf</code>. The backend (pyinotify, gamin, polling, systemd or auto) specifies the way in which Fail2ban retrieves modification of log files.

After this change, we have to reload the Fail2ban service:

<source lang="bash"># fail2ban-client reload
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd</source>
There are a couple of things here that could look different for your distribution (log paths, service handling etc.), but the general approach is similar.

== Unban IPs ==

Looking up what IPs are currently blocked depends on your backend. With iptables you could run <code>iptables -L -n</code> and <code>fail2ban-client status</code> to match ban rules to a jail name.

Next, run

<pre>fail2ban-client set <JAILNAME> unbanip www.xxx.yyy.zzz</pre>
to unban the IP in said jail.

== Tips ==

=== Restrict connection only to local network ===

As always: only expose ports that are meant to be accessed through the network.

You even may want to differentiate between access from within your local network and outside of it (assuming IPs like <code>123.123.XXX.YYY</code> are local):

<pre># cat /etc/hosts.allow
sshd: 123.123.0.0/255.255.0.0
portmap: 123.123.123.0/255.255.254.0
rpcbind: 123.123.123.0/255.255.254.0
# cat /etc/hosts.deny
sshd: ALL
portmap: ALL
rpcbind: ALL</pre>
=== Block lists ===

You could use a block list, (e.g. [https://www.blocklist.de/de/index.html blocklist.de]) to block malicious IPs.

ISPs might give the same IP to multiple users at the same time, so using blocklists might lead to false positives.

== More Info ==

* [https://github.com/fail2ban/fail2ban github.com/fail2ban/fail2ban]
* [https://www.fail2ban.org/ fail2ban.org]

@@ Line 1: / Line 1: @@
-[[Category:HPC-Admin|Fail2ban]]
+[[Category:HPC-Admin|Fail2ban]]<nowiki />
-[[Category:HPC.NRW-Best-Practices|Fail2ban]]
+[[Category:HPC.NRW-Best-Practices|Fail2ban]]<nowiki />
-[[Category:Fail2ban]]
+[[Category:Fail2ban]]<nowiki />
-[[Category:ssh]]
+[[Category:ssh]]<nowiki />
+{{DISPLAYTITLE:Fail2ban (Admin Guide)}}<nowiki />
 == Fail2ban: Stop Brute-Force Attacks on Exposed Services ==

← Older revision		Revision as of 15:40, 2 November 2020
Line 2:		Line 2:
	[[Category:HPC.NRW-Best-Practices\|Fail2ban]]		[[Category:HPC.NRW-Best-Practices\|Fail2ban]]
	[[Category:Fail2ban]]		[[Category:Fail2ban]]
		+	[[Category:ssh]]

← Older revision		Revision as of 15:39, 2 November 2020
Line 1:		Line 1:
	[[Category:HPC-Admin\|Fail2ban]]		[[Category:HPC-Admin\|Fail2ban]]
	[[Category:HPC.NRW-Best-Practices\|Fail2ban]]		[[Category:HPC.NRW-Best-Practices\|Fail2ban]]
		+	[[Category:Fail2ban]]

← Older revision		Revision as of 14:16, 2 November 2020
Line 1:		Line 1:
−	[[Category:HPC-Admin]]	+	[[Category:HPC-Admin\|Fail2ban]]
−	[[Category:HPC.NRW-Best-Practices]]	+	[[Category:HPC.NRW-Best-Practices\|Fail2ban]]

Admin Guide Fail2ban - Revision history

Mukund-pondkule-6a11@uni-paderborn.de at 17:57, 9 December 2020

Robert-schade-e757@uni-paderborn.de at 15:40, 2 November 2020

Robert-schade-e757@uni-paderborn.de at 15:39, 2 November 2020

Robert-schade-e757@uni-paderborn.de at 14:16, 2 November 2020

Robert-schade-e757@uni-paderborn.de: Author Martin Errenst