Fail2ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It monitors server log files for patterns of repeated failed login attempts and blocks the IP addresses associated with these attempts. Fail2Ban uses iptables by default to block the offending IP addresses, but it can be configured to work with other firewalls as well. It is highly configurable and allows the administrator to set the number of failed attempts that trigger a ban, the duration of the ban, and the log files to monitor. It can also be configured to send email notifications when an IP address is banned. Fail2Ban is an essential tool for server administrators to protect against unauthorized access and improve server security.

Let’s install it:

sudo apt install fail2ban

We are changing logging failures into bans on the firewall

sudo systemctl enable --now fail2ban

Now, we have to tell it what service to monitor etc

touk@ubuntu-server:~$ cd /etc/fail2ban/
touk@ubuntu-server:/etc/fail2ban$ ls
action.d  fail2ban.conf  fail2ban.d  filter.d  jail.conf  jail.d  paths-arch.conf  paths-common.conf  paths-debian.conf  paths-opensuse.conf

Anything defined inside jail.conf is a protected service

it is recommended to create your own file start with jail.local, because when system update occur it will overwrite your configuration

Inside /etc/fail2ban/filter.d You will find a list of files that ends with .conf and basically these files are the known services for fail2ban

touk@ubuntu-server:/etc/fail2ban/filter.d$ ls
3proxy.conf                centreon.conf        froxlor-auth.conf       named-refused.conf      qmail.conf            sshd.conf
apache-auth.conf           common.conf          gitlab.conf             nginx-botsearch.conf    recidive.conf         stunnel.conf
apache-badbots.conf        counter-strike.conf  grafana.conf            nginx-http-auth.conf    roundcube-auth.conf   suhosin.conf
apache-botsearch.conf      courier-auth.conf    groupoffice.conf        nginx-limit-req.conf    scanlogd.conf         tine20.conf
apache-common.conf         courier-smtp.conf    gssftpd.conf            nsd.conf                screensharingd.conf   traefik-auth.conf
apache-fakegooglebot.conf  cyrus-imap.conf      guacamole.conf          openhab.conf            selinux-common.conf   uwimap-auth.conf
apache-modsecurity.conf    directadmin.conf     haproxy-http-auth.conf  openwebmail.conf        selinux-ssh.conf      vsftpd.conf
apache-nohome.conf         domino-smtp.conf     horde.conf              oracleims.conf          sendmail-auth.conf    webmin-auth.conf
apache-noscript.conf       dovecot.conf         ignorecommands          pam-generic.conf        sendmail-reject.conf  wuftpd.conf
apache-overflows.conf      dropbear.conf        kerio.conf              perdition.conf          sieve.conf            xinetd-fail.conf
apache-pass.conf           drupal-auth.conf     lighttpd-auth.conf      phpmyadmin-syslog.conf  slapd.conf            znc-adminlog.conf
apache-shellshock.conf     ejabberd-auth.conf   mongodb-auth.conf       php-url-fopen.conf      softethervpn.conf     zoneminder.conf
assp.conf                  exim-common.conf     monit.conf              portsentry.conf         sogo-auth.conf
asterisk.conf              exim.conf            murmur.conf             postfix.conf            solid-pop3d.conf
bitwarden.conf             exim-spam.conf       mysqld-auth.conf        proftpd.conf            squid.conf
botsearch-common.conf      freeswitch.conf      nagios.conf             pure-ftpd.conf          squirrelmail.conf

Let’s say i want to protect SSH, i would create the jail.local file and add the config:

sudo vim jail.local

[DEFAULT]
bantime = 1h
banaction = ufw

[sshd]
enabled = true

sudo systemctl restart fail2ban

If any brute force attack happens, i’ll see some ufw rules denying ip addresses when i issue sudo ufw staus

but because nobody is banned we can use something :

sudo fail2ban-client status

Status
|- Number of jail:      1
`- Jail list:   sshd

to see status for a particular jail

sudo fail2ban-client status sshd

Status
|- Number of jail:      1
`- Jail list:   sshd
touk@ubuntu-server:/etc/fail2ban$ ^C
touk@ubuntu-server:/etc/fail2ban$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

You can go and brute force your own server using Hydra or john the ripper