Introduction
Fail2ban is a
log-parsing application that monitors system logs for symptoms of an automated
attack on your Linode. When an attempted compromise is located, using the
defined parameters,
Fail2ban will add a
new rule to iptables to block the IP address of the attacker, either for a set
amount of time or permanently. Fail2ban can also alert you through email that
an attack is occurring.
Installation
in this installation i
used ubuntu as a host.
#sudo apt-get update
#sudo apt-get install fail2ban
Configuration Fail2ban
The fail2ban service
keeps its configuration files in the /etc/fail2ban directory. There is a file with defaults
called jail.conf.
we don't have to modify
this file directly but rather copy it so that we can make our changes
safely. it is best to only include the settings you wish to override
in the jail.local file. All default options will be taken
from the jail.conf file.
To copy with all file
content commented:
#awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee
/etc/fail2ban/jail.local
Edit file jail.local and add configure under sshd and jail_to_enable module
[jail_to_enable]
enabled = true
[sshd]
ignoreip= 127.0.0.1/8 #ips you allow to access with out fail2ban applied
bantime = 600
findtime = 600 # it means if you type wrong authentication 3(maxretry = 3) time in 600 (10min), your ip will be banned maxretry = 3
port = ssh
bantime = 600
findtime = 600 # it means if you type wrong authentication 3(maxretry = 3) time in 600 (10min), your ip will be banned maxretry = 3
port = ssh
Apply Iptables Rules
We're going to tell it to allow established connections,
traffic generated by the server itself, traffic destined for our SSH and web
server ports. We will drop all other traffic. We can set this basic firewall up
by typing:
#sudo iptables -A INPUT -i lo -j
ACCEPT
#sudo iptables -A INPUT -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
#sudo iptables -A INPUT -p tcp --dport
22 -j ACCEPT
#sudo iptables -A INPUT -p tcp -m
multiport --dports 80,443 -j ACCEPT
#sudo iptables -A INPUT -j DROP
To
save above iptables rules I recent applied:
#apt-get install -y
iptables-persistent
#dpkg-reconfigure iptables-persistent
Test
ssh
someuser@your_fail2ban_ip
you can pretend to type
wrong authentication base on maxretry number, then you can type the right
password. Your ip will be banned
Thank you! 🦆
Comments
Post a Comment