Search My Blog

Thursday, January 19, 2012

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures

Sounds great. But, may take a bit of Setting up and Editing Some Config Files...


scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).






The problem

Brute-force break-in attempts are quite frequent against an SSH server and other password protected internet-services (such as ftp,pop,...). Automated scripts try multiple combinations of username/password (brute-force, dictionary attack) and sometimes changing the port to something other than the default can't be done. Furthermore, scouring your log files yourself is not only time consuming, but can be difficult too.

Fail2ban attempts to alleviate these issues by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manner.

The solution

Log files contain interesting information, especially about failed logins. This information can be used to ban an offensive host. This is exactly what Fail2ban does. It scans log files and detects patterns which correspond to possible breakin attempts and then performs actions. Most of the time, it consists of adding a new rule in a firewall chain and sending an e-mail notification to the system administrator.

Here is a list of the most important features available in Fail2ban:

  • client/server
  • multithreaded
  • Gamin support
  • autodetection of the date/time format
  • wildcard support in logpath option
  • support for a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc)
  • support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)

The code has been completely rewritten since 0.6.x. Fail2ban is entirely written in Python and thus should work on most of the *nix systems.

Skipping to...


Installing Fail2ban on a Fedora 9+ based system is usually straightforward. Execute the following code as the root user:

yum install fail2ban 

There is a bug with the current (0.8.4-27) Fedora and RedHat distros [1] which will prevent jails from starting unless SELinux is disabled. Symptoms are that a server with no configuration changes will fail to start and the fail2ban log file (search for 'logtarget' in fail2ban.conf) will have an error message like:

fail2ban.jail   : INFO   Creating new jail 'ssh-iptables' fail2ban.comm   : WARNING Invalid command: ['add', 'ssh-iptables', 'auto']  

when starting the SSH jail. If this happens to you, edit jail.conf and change the line that says

backend = auto 


backend = gamin 

This requires gamin to be installed. If it isn't, install it via:

yum install gamin 

Alternatively you can disable SELinux, but that is not recommended.

Read More on Other OS's (this is from the Manual)...

FAQ english

From Fail2ban
Jump to: navigation, search




From Fail2ban
Jump to: navigation, search



Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures
HOWTOs - Fail2ban
FAQ english - Fail2ban
Fail2Ban - Fail2ban

No comments: