Fail2Ban is a free and open source interruption avoidance programming apparatus written in the Python programming language that can be utilized to shields servers from various types of assaults. Fail2Ban works by continuosly observing different logs documents (Apache, SSH) and running contents dependent on them. Generally it is utilized to square IP delivers that are attempting to rupture the framework’s security. It very well may be utilized to hinder any IP address that are attempting to make numerous ill-conceived login endeavors. Fail2Ban is set up to square pernicious IP address inside a period limit characterized by director. Fail2Ban can be arranged to send email warnings when somebody’s assaulting your server. Fundamental reason for Fail2ban is to examines log documents for different administrations, for example, SSH, FTP, SMTP, Apache and square the IP address that makes an excessive number of secret phrase disappointments.
sudo -i
apt-get updateapt-get install fail2ban -ysystemctl status fail2banYou should get the output like this:-
root@aftab:~# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset:
Active: active (running) since Sat 2020-03-14 10:17:30 IST; 2min 42s ago
Docs: man:fail2ban(1)
Process: 792 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=
Main PID: 876 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─876 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/
Mar 14 10:17:24 aftab systemd[1]: Starting Fail2Ban Service...
Mar 14 10:17:29 aftab fail2ban-client[792]: 2020-03-14 10:17:29,685 fail2ban.ser
Mar 14 10:17:29 aftab fail2ban-client[792]: 2020-03-14 10:17:29,686 fail2ban.ser
Mar 14 10:17:30 aftab systemd[1]: Started Fail2Ban Service.
To stop fail2ban use the given commands.
systemctl stop fail2banTo start the fail2ban service use the given commands.
systemctl start fail2banTo on boot start the fail2ban service use the given commands.
systemctl enable fail2banTo on boot disable the fail2ban service use the given commands.
systemctl disable fail2banJail Configuration
vim /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22
filter = sshd
bantime = 120
ignoreip = 127.0.0.1/8 10.0.2.15
logpath = /var/log/auth.log
maxretry = 3systemctl restart fail2ban
tail -f /var/log/fail2ban.logTesting Fail2ban policy
Step 6:- You need to access the ssh using wrong username and password, In my case my ssh server ip is 10.0.2.16 and my ssh clinet ip is 10.0.2.15, For testing is going use wrong username and password by using the steps.
aftab@aftab:~$ ssh aftab@10.0.2.15
aftab@10.0.2.15's password:
Permission denied, please try again.
aftab@10.0.2.15's password:
As you can see the i have tried 3 times wrong credentials, Now lets check the fail2ban log for ban status by using the following the commands.
tail -f /var/log/fail2ban.logaftab@aftab:~$ sudo tail -f /var/log/fail2ban.log
2020-03-14 12:44:25,454 fail2ban.filter [8991]: INFO Set jail log file encoding to UTF-8
2020-03-14 12:44:25,458 fail2ban.filter [8991]: INFO Added logfile = /var/log/auth.log
2020-03-14 12:44:25,463 fail2ban.filter [8991]: INFO Set findtime = 600
2020-03-14 12:44:25,463 fail2ban.filter [8991]: INFO Set maxlines = 10
2020-03-14 12:44:25,501 fail2ban.server [8991]: INFO Jail sshd is not a JournalFilter instance
2020-03-14 12:44:25,505 fail2ban.jail [8991]: INFO Jail 'sshd' started
2020-03-14 12:44:25,674 fail2ban.filter [8991]: INFO [sshd] Found 10.0.2.15
2020-03-14 12:44:25,674 fail2ban.filter [8991]: INFO [sshd] Found 10.0.2.15
2020-03-14 12:44:36,809 fail2ban.filter [8991]: INFO [sshd] Found 10.0.2.15
2020-03-14 12:44:37,529 fail2ban.actions [8991]: NOTICE [sshd] Ban 10.0.2.15
And now my IP is banned, I am not able to connect ssh port
aftab@aftab:~$ ssh aftab@10.0.2.15
ssh: connect to host 10.0.2.15 port 22: Connection refused We can see this ban policy status and ban ip under any ban policy by using the commands.
To get enable protocol in fail2ban use the following commands.
sudo fail2ban-client statusYou should get the output like this:-
aftab@aftab:~$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
To get ssh fail2ban status use the following commands.
sudo fail2ban-client status sshd
OUTPUT :-
aftab@aftab:~$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 7
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 10.0.2.15
As you can see the banned IP address found here, in case you want unbanned that IP address use the following commands.
sudo fail2ban-client set PROTOCOL_HERE unbanip IP_HERE
aftab@aftab:~$ sudo fail2ban-client set sshd unbanip 10.0.2.15
10.0.2.15
Now its time to verify the ssh fail2ban status for banned IP address, Use the following IP.
sudo fail2ban-client status sshd
OUTPUT:-
aftab@aftab:~$ sudo fail2ban-client status sshdStatus for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 10
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 3
`- Banned IP list:
As you can see now there is not any IP address in banned section.