Keeping the bad guys out with fail2ban

wall robin robokow
flickr / robin robokow (Creative Commons BY or BY-SA)

If you're looking for an easy (and free) way to make your Linux systems more resistant to attack, you might want to take a look at fail2ban. It's a fairly unusual intrusion detection tool that won't replace your border firewalls, but could add an effective layer of resistance to your host-based firewalls.

Implemented as a series of Python scripts, fail2ban works by dynamically altering the firewall rules on your system in reaction to attacks. When it detects a series of authentication failures or other signs of attack in your log files, it can (and is generally set up to) alter your firewall rules to resist those attacks. The beauty of the tool is that you don't have to anticipate where your attackers might be coming from. Instead, fail2ban will recognize the patterns in your log entries, identify the attackers for you, and automatically take precautions to block their access.

For fail2ban, the key is in spotting the patterns in your log files. For this reason, the tool comes with a series of filters that it uses for various services and these filters use fairly complex regular expressions to comb through your log files.

It might be looking at your auth.log file or at your Apache access log or both. It is generally set up to block addresses that appear to be malicious but it can, if you prefer, be set up to email warnings to yourself or your admin. It is especially useful in protecting against brute force attacks, but not generally effective in warding off attacks when the malicious connections are widely distributed as it wouldn't be able to gather enough evidence that any of the participating systems are indeed malicious.

If you opt to send email, you can include whois information on the attacking system or the lines from the log file that document the attack.

The tool installs with sample filters for numerous common services along with configuration files that detail how the system will run on your system. For example, how many indications within how many minutes must be seen before the system assums that the remote system is hostile? How long do you then ban the system from access and when do you remove the ban?

Filters are designed to identify authentication failures. They are built with regular expressions that will identify the lines in log files that correspond to the problems you are looking for. Filters have defined actions, but you can configure then to suit your needs. The default is to ban the offending system in your firewall rules -- iptables or firewalld -- when you see three problems within a ten minute period

The manual includes this very nice example:

failregex = Authentication failure for .* from <HOST>
            Failed [-/\w]+ for .* from <HOST>
            [iI](?:llegal|nvalid) user .* from <HOST>

The term "failregex" refers to the set of regular expressions that are configured. Each failregex description (like the one above) sits in a configuration file in the filter.d directory. For example, the file /etc/fail2ban/filter.d/sshd.conf would contain the regex entries that relate to monitoring ssh traffic.

Filters can get a lot more complicated than the one shown above but, in general, you don't need to define them, but it's good to understand how they work.

Expressions such as .* match any string (zero or more characters) where \w matches alphanumeric or underscore. More complex expressions such as [iI](?:llegal|nvalid) provide for some flexibility in fail2ban's parsing. This one matches illegal, Illegal, etc.

Clearly pointing its fingers at various forms of login failures, this regex set assigns the name or address of the system from which the attacker came to the <HOST> variable. This can then be used in your firewall rules. This is because <HOST> is itself a predefined regular expression that matches hostnames and IPv4 addresses.

One of the really nice things about fail2ban is that, as a set of Python scripts and configuration files, it is completely transparent. You don't have deep to dig to understand everything about how it's working and what it's doing for you. This is a big advantage in my way of thinking. It's also very flexible about what it can monitor and how it can react.

Definitely a tool worth looking into, fail2ban can be installed with the normal Linux install tools like yum and apt-get. However, you will likely need some additional packages to work with firewalld and systemd. You can get more information by going to

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022