Debian11, Server, fail2ban install to ban attackers

Fail2ban parses log files, looking for attack attempts and take countermeasures to ban the attacker temporarily or permanently using IPTables and TCPWrapper rules. Configuration with TARPIT IPtables targets to “punish” attackers. This post describe the basic and common installation setup, I specialize it depending on the server type (public or gateway/router) in the next posts.

Fail2ban presentation

Fail2Ban parses the log files and searches for typical attack patterns, when the same source IP has several authentication failure, or tries to scan the server, … The attack was successfully blocked by the first line of defense, IPTables rules or TCPWrappers, but continues. It is probably not a mistake, but a real attack and it is time to implement more than just blocking each attempt.

Fail2ban can execute arbitrary commands to block the source IP for a given amount of time, it can also send email with details to the admin, add the source IP to public blacklists or trigger active countermeasures.

Automatic countermeasures is not a good idea, email notification can rapidly fil your mailbox without any great value, and adding bad ips to public blacklists would need to open outgoing network connections and I personnally do not find automatic blacklist addition as a reliable action. We have to keep in mind that the attacks are rarely comnig directly from the attacker machines, but from a botnet, a machine network made of innocent machines infected by a virus. All these actions would punish innocent victims way too strongly, from my point of view.

• Fail2ban presentation
• Prerequisites
  • Existing variables
  • Reload the variables
• Common Installation
  • Second level ban of already banned connections
  • TARPIT malicious connections
  • Whitelist my IP or LAN
  • Tune the ban duration
  • Tune the detection thresholds
  • Apply the configuration
• Administration
• Materials and links
• Footnotes

Prerequisites

This article only depends on the Generic machine preparation.

Existing variables

We need the LAN_* variable which is already defined in the configuration file, in 010 - Configuration variables.

Reload the variables

Ensure that the variables are available, by loading the configuration script :

source /root/config.env

Common Installation

The package is small, easy and fast to install, it asks no questions by default.

apt-get install -y fail2ban

Second level ban of already banned connections

When a pattern is repeated, Fail2Ban triggers a temporary action to block further attempts for a specified time. This rule acts as a second level to take more restrictive actions when the attempts are continuing while blocked.

cat << EOF > /etc/fail2ban/jail.d/recidive.conf
[recidive]
enabled = true
EOF

TARPIT malicious connections

Instead of simply ignoring the incoming network paquets to block them, I chose to send them to the TARPIT target. I described this target in the IPTable post, we already know that this trafic is malicious, it does not hurt or consume local resources and it should stop the attack attempts directly at the source.

cat << EOF > /etc/fail2ban/action.d/iptables-common.local
[Init]
blocktype = TARPIT
EOF

Whitelist my IP or LAN

Normal usage should not be impacted, but it might be advisable to whitelist our own public IP address to avoid any mistake.

cat << EOF > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 ${LAN_IP}/${LAN_NM}
#action = %(action_mw)s
EOF

Tune the ban duration

I also adjust the temporary ban time to 1 hour, way more longer than the default.

cat << EOF >> /etc/fail2ban/jail.local
bantime = 3600
EOF

Tune the detection thresholds

Finally, I tell fail2ban to trigger then ban when it finds more than 3 attempts during the last 10 minutes, in order to detect slow attacks.

cat << EOF >> /etc/fail2ban/jail.local
findtime = 600
maxretry = 3
EOF

Apply the configuration

systemctl restart fail2ban

Administration

Keep in mind that this tool will dynamically block connections. You can use fail2ban-client to manage the currently banned hosts with the banned, ban and unban commands. These commands are available with the version included in Debian 11 Bullseye, but not in the version included in Debian 10 Buster. When a host is banned, it will be added to an iptable chain, visible in iptable -L -n -v output and in the TCPWrapper’s /etc/hosts.deny blacklist file.

Materials and links

I found some extra information on these pages, in English and in French.

• booleanworld¹ (en)
• whyscream² (en)
• nicolargo³ (fr)
• nicolargo⁴ (fr)

Footnotes

1. https://www.booleanworld.com/protecting-ssh-fail2ban/ ↩

2. http://whyscream.net/wiki/Fail2ban_monitoring_Fail2ban.md ↩

3. https://blog.nicolargo.com/2012/02/proteger-son-serveur-en-utilisant-fail2ban.html ↩

4. https://blog.nicolargo.com/2012/03/bannir-les-bannis-avec-fail2ban.html ↩