Last Updated: February 25, 2016
·
1.415K
· poupougnac

Protect your server with Fail2Ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

 Have a brief state of fail2ban:

fail2ban-client status
Status
|- Number of jail:  2
`- Jail list:       proftpd, ssh

 If anything is wrong with your log files, restart syslog:

sudo service rsyslog restart

 Protect yourself and legitimate persons to get banished

In /etc/fail2ban/jail.conf, ignoreip has to be set this way :

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.

ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8

Create you own REGEXP to fix particular issues:

In /etc/fail2ban/filter.d/, duplicate the closest file of what you want to match (ex: apache-auth.conf)

Change the failregex variable :

failregex = ^<HOST> -."GET \/w00tw00t.at.ISC.SANS.DFind:).".*

HOST match the IP address
\d indicates a digit. It is exactly to type [0-9]
\D Indicates that is NOT a number. It's the same as typing [^ 0-9]
\w Indicates an alphanumeric character or an underscore. This corresponds to type [a-zA-Z0-9_]
\W indicates this is NOT an alphanumeric character or an underscore. It's the same as typing [^a-zA-Z0-9_]
\t indicates a tab
\n indicates a new line
\r indicates a carriage return
\s Indicates white space (equivalent to \t \n \r)
\S Indicates this is NOT a white space (\t \n \r)

How to check if my REGEXP correcly parse my log files ?

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-w00t.conf

2 Responses
Add your response

We had huge problems with fail2ban. Several people working in an office, only one makes a typo when entering an ssh password... Bam! Whole office gets banned for two hours.

over 1 year ago ·

Irumiha,
I added a specific part in the protip that shows how to whitelist both internal and external IP address.

over 1 year ago ·