From Debian Clusters

Fail2ban is used to combat brute force SSH attacks. It does this by watching the log files for invalid logins by specific IPs under a certain amount of time and then using iptables to ban them. If you've set up NAT with IPTables, your users will be specifying the firewall's name when they SSH in, but they will actually be SSHing into the head node. Since the head node handles all SSH requests, Fail2Ban should be installed on the head node.

To install fail2ban, run

apt-get install fail2ban

Running iptables -L after this should now show a chain for fail2ban.

Configuring Fail2ban

Fail2ban is automatically configured for the most part. However, little items need to be tweaked. /etc/fail2ban/fail2ban.conf is responsible for general settings for fail2ban, such as what log to append to. More specific settings can be changed in /etc/fail2ban/jail.conf. However, it's recommended that this file not be directly changed. Instead, make a copy to jail.local (cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local) and the local file with override the .conf one.

First, find ignoreip. It's always important for you to have a way in! These are IPs are fail2ban will ignore - IPs listed here can always have invalid login attempts and still not be blocked. In my file, I'm putting down the network ranges for my internal network (192.168.1.0/24) as well as one other trusted IP address of a machine that I will be able to SSH into if need be. These need to be space separated! If they are not, fail2ban won't block anyone.

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 192.168.1.0/24 X.X.X.X

Default options are listed somewhere near the top of the file. Although there are specific filters specified further down, these default options will take effect unless override in the specific filters. bantime specifies how long an IP address sits in "time out" before it is allowed to attempt to log in again. The default of 600 seconds (10 minutes) is probably fine.

Individual filters are specified with brackets surrounding the filter's name. By default, only [ssh] is active. Notice this filter has a higher maxretry than specified in the default above. Maxretry specifies the number of times an IP address can attempt to log in before being banned. I changed mine down to 3.

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

After making changes to any files, restart fail2ban with /etc/init.d/fail2ban restart.

Oops!... Unblocking Blocked IPs

Fail2ban timesout are only temporary. Still, it's important to know how to unblock an IP address once fail2ban has started blocking it. If you do iptables -L, you'll see all the IPs currently blocked:

gyrfalcon:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       0    --  lucient.rootmypc.net  anywhere
RETURN     0    --  anywhere             anywhere

Notice lucient.rootmypc.net is currently being blocked here. Rather than waiting ten minutes for it to be unblocked, you can tell iptables to drop that rule. The syntax is iptables -D <rulename> <rule line>. To unblock lucient.rootmypc.net, I issued

gyrfalcon:/etc/fail2ban# iptables -D fail2ban-ssh 1

Entering iptables -L again should show that that rule is now gone, and that IP address is again allowed to SSH in (at least until they try to log in incorrectly the magic number of times again).

Links

• http://www.the-art-of-web.com/system/fail2ban/
• http://www.fail2ban.org/