Install Fail2Ban
Install Fail2Ban
Install Fai2Ban with the following command:
sudo apt install -y fail2banConfigure Fail2Ban Defaults
Edit the default Fail2Ban config if you need to manually configure any jails (the .local file will override any settings in the .conf file:
sudo nano /etc/fail2ban/jail.localIf you need to whitelist any IPs add the following configuration to your [DEFAULT] section of the configuration and update accordingly:
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 <Network Address>/<CIDR Mask>To change the default number of failures in an allotted timeframe, add the following settings to the [DEFAULT] section to override the defaults of 5 failures in 10 minutes (adjust the values accordingly):
findtime = 10m
maxretry = 5Note: You can use "s" for seconds, "m" for minutes, "h" for hours, and "d" for days.
To change the default ban time, add the following setting to the [DEFAULT] section to override the defaults of 10 minutes (adjust the value accordingly):
bantime = 10mNote: You can use "s" for seconds, "m" for minutes, "h" for hours, and "d" for days, or use any negative number to permanently ban the IP address.
If you want to incrementally increase the ban time for repeat offenders, add the following line to the [DEFAULT] section:
bantime.increment = trueAs a recommended set of defaults, use these settings in your configuration:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
findtime = 10m
maxretry = 5
bantime = 10m
bantime.increment = trueCreate a new Filter and Jail
To create a new filter, we'll need to create a configuration file for our new jail using the following command (we're copying from an existing filter to help us get started and using HAProxy as an example):
sudo cp /etc/fail2ban/filter.d/haproxy-http-auth.conf /etc/fail2ban/filter.d/haproxy-<filtername>.conf
sudo nano /etc/fail2ban/filter.d/haproxy-<filtername>.confNext, you'll set up the filter accordingly by modifying the failregex line to match with the log file entries that you want to count as a failure for banning purposes (this could be 401 errors, 503 errors, etc).
Here's an example for filtering HAProxy logs on an IP getting 401 errors:
failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> 0/-1/-1/-1/\+*\d* 401Here's an example for filtering on an IP trying to access common file paths that are used to try to exploit servers:
failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.* {(www\.)?icstexas\.com} "(GET|POST) \/(wp-login\.php|router\.php|xmlrpc\.php|indoxploit\.php|wso\.php|admin\.php|upload\.php|shell\.php)\/? HTTP\/1\.1"$Here's an example (full files attached as haproxy-ignition-auth.zip) for HAProxy monitoring login attempts (good or bad):
failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*POST\s+\/idp\/default\/authn\/submit-username-password-challengeTo create a new jail, we'll need to create a configuration file for our new jail using the following command:
sudo nano /etc/fail2ban/jail.d/haproxy-<filtername>.confNext, you'll set up the jail accordingly using examples in the main jail.conf file, or this example for HAProxy:
[haproxy-<filtername>]
enabled = true
logpath = /var/log/haproxy.logNote: All filenames and section names must match exactly for them to work together. Any naming differences will not allow the filter and jail to work properly.
When finished making any changes, restart the Fail2Ban service with the following command:
sudo service fail2ban restartChecking Fail2Ban Jail Status
To check the status of a Fail2Ban jail, run the following command (using our haproxy-sitename as an example):
sudo fail2ban-client status haproxy-sitenameUnbanning an IP from a Jail
To unban an IP from a specific jail, use the following command:
sudo fail2ban-client set <Jail Name> unbanip <IP Address>Manually banning an IP for a Jail
To manually ban an IP from a specific jail, use the following command:
sudo fail2ban-client set <Jail Name> banip <IP Address>
No Comments