A Password Protection Service
Fail2ban
Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks.
Special Thanks: This article was made possible by support from Linux Professional Institute
Several security measures do not protect your systems from compromise, including security by obscurity (i.e., changing ports), intrusion detection (after the fact monitoring and reporting), and poor password policies (allowing non-complex passwords). The better method for protecting your systems is to implement intrusion prevention measures. Fail2ban is one such solution. It scans logs to check for attacks before they occur and blocks the offending host’s access prior to any compromises or break-ins.
Malicious attackers know that passwords are the weakest link in the security chain. They also know that with enough time they can break even the best passwords. Rather than allowing attackers to make attempt after attempt, Fail2ban stops them on their first round of attempts. Any password-protected service such as SSH, FTP, IMAP, POP3, Sendmail, and others are susceptible to brute force and dictionary attacks, because username/password combinations are inherently weak protections.
Fail2ban allows you to set up intrusion prevention monitoring on any service port that uses username/password combinations for authentication. And while Fail2ban runs as a daemon, it does not expose any new listening network ports to which an outside attacker can attach. To disable it, an attacker would have to compromise the system before Fail2ban bans the offending host, which is unlikely in the case of a dictionary or brute force attack on an exposed port.
Installing Fail2ban
Fail2ban is available as a package for most distributions, so try that installation method before searching for source code and compile options. For example, on Red Hat-based systems, use:
$ sudo yum –y install fail2ban
For Debian-based ones, use:
$ sudo apt install fail2ban
Using a package installer also guarantees that you’ll install the correct dependencies, which include Python and other Fail2ban packages, such as fail2ban-firewalld, fail2ban-sendmail, and fail2ban-server.
Once installed, you’ll want to start Fail2ban and set it up to automaticly start on boot, as follows:
$ sudo systemctl enable fail2ban $ sudo systemctl start fail2ban
The Fail2ban service is started and is set to start on system boot, but currently has no protective configuration. The first step is to copy the jail.conf file, which you shouldn’t edit, to jail.local, which you should edit:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open jail.local in your favorite editor and add IP addresses that should never be banned. You must do this in case your standard modes of entry get banned. It is essentially giving yourself a backdoor into the system.
Look for this entry
ignoreip = 127.0.0.1/8
and add any IP addresses after the localhost entry that should never be banned. Separate entries by a single space. I suggest that you enter a limited number of single IP addresses rather than entering an entire subnet. It kind of defeats the purpose of having this protection if you’re going to immunize every system from being banned. The point is that if a system is compromised and an attempt is made on the protected system, it will be banned. As shown in the following example, having fewer systems with immunity decreases the likelihood of a successful attack:
ignoreip = 127.0.0.1/8 192.168.1.55 192.168.1.89
Save the jail.local file.
You’ll want to protect any exposed service port on your system. For this article, I’m going to protect SSHD.
For each service to be protected, you have to create a corresponding local “jail” file that contains some basic information about the service you want to protect.
Create the entry with your favorite editor:
$ sudo vi /etc/fail2ban/jail.d/sshd.local
Enter the following information into the sshd.local file:
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 600
Be sure that your logpath is correct and that you set maxretry to a reasonable number and bantime to your own tolerance level. The bantime parameter is in seconds. Some system administrators ban for one week (604800). It becomes inefficient for an attacker to wait a week or more between attempts, and they will likely give up. You can ban for longer if you wish. A -1 entry is a permanent ban.
Save the file and restart Fail2ban:
$ sudo systemctl restart fail2ban
Note: Remember to always restart Fail2ban after making any configuration changes or the changes will not take effect.
If systems have attempted and failed login via any protected service, you’ll see them by displaying a list of iptables rules and the numeric values associated with those rules:
$ sudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination f2b-default tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-default (1 references)target prot opt source destination REJECT all -- 192.168.1.96 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
You can see that IP adress, 192.168.1.96, is banned. This system cannot use the host’s SSH service. Chances are that a user attempted to log in to the host and failed the configured number of times, which according to the above configuration settings is five times.
To unban an IP address, use the unban command:
$ sudo fail2ban-client set sshd unbanip 192.168.1.96
unban immediately removes the banned IP address from iptables, and the formerly banned system now has access to the protected system. Unbanning an IP address does not require you to restart any services.
You can check currently banned systems with the command:
$ sudo iptables –L –n Chain INPUT (policy ACCEPT) target prot opt source destination f2b-default tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-default (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
If a system’s IP address has been banned, no user on the banned system may use the banned service. Additionally, in the case of SSH, all related services are also banned, such as SFTP, SCP, and any service that uses the SSH port (22). However, the banned system is only banned for that one particular service. For example, the banned system can still reach services on port 80 and on port 443. Each service on a system is independent and protected independently with its own set of rules.
For those of you who use it, Webmin has a Fail2ban module that lists dozens of services that you can protect, including Webmin itself.
Administrators will have to watch the iptables list output to ensure that legitimate attempts get unbanned in a timely manner and that malicious ones are permanently banned. External attempts are most likely malicious, and internal ones, while worth checking for legitimacy, are less likely to be hostile. If an internal system is banned by Fail2ban, you should check the security logs and question any individual who has failed to successfully log in to a protected system. Such internal auditing is an investigative check on bans originating from inside the network to verify if those attempts are harmless or malicious.
This brief introduction to Fail2ban allows you to quickly protect your systems from brute force attacks, dictionary attacks, and other methods of guessing passwords. Any service that requires authentication can be protected with Fail2ban, but that is its limitation. You can’t protect services that don’t require authentication. Fail2ban provides system administrators with a cost-free method for protecting servers and services. Even the most junior system administrator can set up and manage Fail2ban. Be aware, however, that like any security solution, it is only one defense and should not be used as the only protection against intruders.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.