Fail2ban and RedHat/CentOS

Fail2ban is another neat intrusion detection program. It monitors log files for suspicious access attempts and, once it has enough of that, edits the firewall to block the offender. The really neat part is that it will unban the offending IP later on (you define how long); that usually will suffice to your garden variety automatic port scanner/dictionary attack but also would give hope to your user who just can't remember a password. There are other programs out there that will deal with ssh attacks, but fail2ban will handle many different services; I myself use it with Asterisk, mail, and web just to name a few.

But, you did not come here to hear me babbling; let's get busy and do some installing, shall we?

Installing fail2ban in RedHat/CentOS

For this example I will be using CentOS 6. YMMV.

1. Get required packages. Need jwhois (for whois) from base and fail2ban from, say, epel or your favourite repository

   yum install jwhois fail2ban --enablerepo=epel

   whois is needed by /etc/fail2ban/action.d/sendmail-whois.conf, which is called
   by /etc/fail2ban/filter.d/sshd.conf.

   You will also need ssmtp or some kind of MTA so fail2ban can let you know that it caught a sneaky bastard. I briefly mentioned about ssmtp in a previous post; seek and thou shalt find.

2. Configure fail2ban.
   
   1. Disable everything in /etc/fail2ban/jail.conf. We'll be using /etc/fail2ban/jail.local:

      sed -i -e 's/^enabled.*/enabled  = false/' /etc/fail2ban/jail.conf

   2. Configure /etc/fail2ban/jail.local. For now, we will just have ssh enabled

      HOSTNAME=`hostname -f`
      cat > /etc/fail2ban/jail.local << EOF
      # Fail2Ban jail.local configuration file.
      #
      
      [DEFAULT]
      actionban = iptables -I fail2ban- 1 -s  -m comment --comment "FAIL2BAN temporary ban" -j DROP
      
      # Destination email address used solely for the interpolations in
      # jail.{conf,local} configuration files.
      destemail = raub@kudria.com
      
      # This will ignore connection coming from our networks.
      # Note that local connections can come from other than just 127.0.0.1, so
      # this needs CIDR range too.
      ignoreip = 127.0.0.0/8 $(dig +short $HOSTNAME)
      
      #
      # ACTIONS
      #
      # action = %(action_mwl)s
      
      #
      # JAILS
      #
      [ssh]
      enabled = true
      port    = ssh
      filter  = sshd
      action   = iptables[name=SSH, port=ssh, protocol=tcp]
                 sendmail-whois[name=SSH, dest="%(destemail)s", sender=fail2ban@$HOSTNAME]
      logpath  = /var/log/secure
      maxretry = 5
      bantime = 28800
      EOF

      Note we are only whitelisting the host itself. You could whitelist your lan
      and other machines/networks if you want. Jail is a fail2ban term that defines a ruleset you want to check for, and ban as needed.
      
   3. Decide where you want fail2ban to log to. That is done in /etc/fail2ban/fail2ban.local using the logtarget variable. Some possible values could be

      cat > /etc/fail2ban/fail2ban.local << EOF
      [Definition]
      # logtarget = SYSLOG
      logtarget = /var/log/fail2ban.log
      EOF

      The file /etc/fail2ban/fail2ban.conf should provide you with examples on how to set that up.
3. Enable fail2ban

   service fail2ban restart
   chkconfig fail2ban on

   If you now do

   chkconfig --list fail2ban

   you should then see

   fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off

   And then check the fail2ban log you defined just before for any funny business. If you have set it correctly, you should see an email to destemail saying fail2ban started. Now, you will get one email per jail. So, if you just did the default (ssh), you will get one email that looks like this:

   Hi,
   
   The jail SSH has been started successfully.
   
   Regards,
   
   Fail2Ban.

   When fail2ban bans someone, you will receive an email that looks like this:

   Hi,
   
   The IP 82.205.21.200 has just been banned by Fail2Ban after
   3 attempts against ASTERISK.
   
   
   Here are more information about 82.205.21.200:
   
   % This is the RIPE Database query service.
   % The objects are in RPSL format.
   %
   % The RIPE Database is subject to Terms and Conditions.
   % See http://www.ripe.net/db/support/db-terms-conditions.pdf
   
   % Note: this output has been filtered.
   %       To receive output for a database update, use the "-B" flag.
   
   % Information related to '82.205.16.0 - 82.205.31.255'
   [...]

   Note that it is not the SSH jail but the ASTERISk one; I just want to show a
   different example. Also, the stuff before the banned message is from whois.

   If you do iptables -L, you will see which rule fail2ban added to iptables:

   Chain fail2ban-SSH (1 references)
   target     prot opt source               destination
   DROP       all  --  221.178.164.251      anywhere
   RETURN     all  --  anywhere             anywhere

   Note it creates a chain for each jail.

References

• http://en.wikipedia.org/wiki/Fail2ban
  
• http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
  
• http://www.the-art-of-web.com/system/fail2ban