Tuesday, 21 December 2010

Installing Fail2ban: an other step in securing your server

Fail2ban is an authentication failure monitor that will check your different logs and, through iptables, can ban hackers and other wrong does from accessing your server.

On Debian (lenny), the installation is quite straight forward:

sudo aptitude install fail2ban

There will be 2 configuration files that you may need to take a look at:
/etc/fail2ban/jail.conf and /etc/fail2ban/jail.local. The first one has good defaults to begin securing your server. Since it can be overwritten when you update fail2ban, you should put your modifications or additions into jail.local.

Here are some things you may want to put in your local version:

Enable checks for services you use, like this for apache:
enabled = true

Fail2ban will log it's action to a log file but I'm not sure I'm going to take a look at them regularly but I do know that I check my e-mails many times a day, so why not have it email you it's logs:
action = %(action_mwl)s

In the same section [DEFAULT], you want to enter the IPs that should never be banned to make sure it won't lock you out of your own server:
ignoreip = xx.xx.xx.xx

I find default ban time a bit short (10 minutes), so once everything seems to work fine, you may when to update that to a longer period:
bantime = 3600

The latest version of fail2ban comes with a bunch of default filters for different services and they are pretty good out of the box. But I encourage you to take a regular look at your logs and see if there is some attacks that fail2ban doesn't catch and try to write your own filters. Here is one example I use to ban people who try to access DB/admin/system stuff through apache, some will block attemps at WIndows vulnaribilities but that's good since those people may then move on to Linux specific ones.

In /etc/fail2ban/jail.local:
enabled = true
port = http,https
filter = web-exploits
logpath = /var/log/apache2/error.log
maxretry = 4

In /etc/fail2ban/filter.d/web-exploits.conf:

failregex = [[]client <HOST>[]] File does not exist:
ignoreregex = [[]client <HOST>[]] File does not exist: .*favicon\.ico

This will ban anyone who tries to access an inexistent resource on my server. Looking at my logs, I find that the favicon one is the only reasonable exception so I added a ignoreregex entry.

As you see the rules are made up of regular expressions, so it's pretty easy to write your own rules.

 Just make sure to restart it when you have made changes:
sudo /etc/init.d/fail2ban restart


1 comment: