This article was last reviewed for Debian 9 (Stretch).
Fail2ban installation and configuration (Debian, repository)
Author: | Stefán Örvar Sigmundsson |
---|---|
Initial publication: | |
Last updated: | |
Written in: | English (United Kingdom) |
Fail2ban is a free and open-source intrusion detection and prevention software. This article will demonstrate how to install and configure Fail2ban on Debian or its derivatives such as Ubuntu and Linux Mint.
Installation
Fail2ban can be installed from the official Debian repository using APT:
root@computer:~# apt --assume-yes install fail2ban
Configuration
A directory is created to contain the log file of Fail2ban:
root@computer:~# mkdir /var/log/fail2ban/
A file is created to contain the log for Fail2ban in a dedicated directory:
root@computer:~# touch /var/log/fail2ban/fail2ban.log
fail2ban.local
A file is created to contain the general configuration of Fail2ban:
root@computer:~# touch /etc/fail2ban/fail2ban.local
Fail2ban requires little general configuration to function.
[Definition]
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400
loglevel = NOTICE
logtarget = /var/log/fail2ban/fail2ban.log
pidfile = /run/fail2ban/fail2ban.pid
socket = /run/fail2ban/fail2ban.socket
syslogsocket = auto
[Definition]
- Sets the configuration scope for the subsequent directives to Definition which is the default scope for general configuration of Fail2ban.
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
- The database file of Fail2ban which stores data (e.g. bannings) persistently during reboots.
dbpurgeage = 86400
- The rate of purgings of the database file of Fail2ban which is specified in seconds.
logtarget = /var/log/fail2ban/fail2ban.log
- The log file of Fail2ban.
pidfile = /run/fail2ban/fail2ban.pid
- The PID file of Fail2ban.
socket = /run/fail2ban/fail2ban.socket
- The socket file of Fail2ban.
syslogsocket = auto
- The socket file of syslog. The default is auto but it must be specified so that Fail2ban does not complain. It is not used in this configuration as logtarget is set to a file and not to SYSLOG.
jail.local
A file is created to contain the intrusion detection and prevention configuration of Fail2ban:
root@computer:~# touch /etc/fail2ban/jail.local
Actions and filters define jails which are used to prevent detected intruders from doing harm to the system.
[DEFAULT]
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
backend = auto
banaction = iptables-multiport
bantime = 86400
chain = INPUT
enabled = true
filter = %(__name__)s
findtime = 600
ignoreip = 127.0.0.1/8
logencoding = auto
maxretry = 3
port = 0:65535
protocol = tcp
usedns = warn
[DEFAULT]
- Sets the configuration scope for the subsequent directives DEFAULT which applies to all jails by default.
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- The action to perform during bannings.
backend = auto
- The method of receiving log file notifications.
banaction = iptables-multiport
- The name of the action in the action.d directory. This directive is a variable for the action directive.
bantime = 86400
- The duration of bans in seconds. This directive is a variable for the action directive.
chain = INPUT
- The iptables chain type. This directive is a variable for the action directive.
enabled = true
- Enables the jail.
filter = %(__name__)s
- The name of the filter in the filter.d directory. Jails are conventionally named after the service they monitor. Since there can only be one filter per jail it makes sense to name the configuration scope of a jail after its filter.
findtime = 600
- The duration (in seconds) of time before authentication attempts are reset for individual users who have not reached maxretry and have thus not been banned.
ignoreip = 127.0.0.1/8
- The IP addresses/CIDR masks/DNS hosts excluded from jails.
logencoding = auto
- The character encoding of the log file.
maxretry = 3
- The number of authentication attempts before banning.
port = 0:65535
- The port (range) from which to ban offenders. This directive is a variable for the action directive.
protocol = tcp
- The protocol from which to ban offenders. This directive is a variable for the action directive.
usedns = warn
- The attitude towards DNS host names in log files.
Jails can be declared in the jail.local file or in the jail.d directory.
Most servers will have an SSH server installed. The following is an example of a jail configuration:
[sshd]
logpath = /var/log/auth.log
port = 22
[sshd]
- Names the jail sshd. Since filter was set to __name__ in DEFAULT it means that the jail's name is also the name of its filter. There is a filter by the name sshd in the filter.d directory.
logpath = /var/log/auth.log
- The log path of the software to monitor. The applied filter will process the log file.
port = 22
- The port (range) of the software to monitor. It overrides the value set to port in DEFAULT.
There are tens of filters available for commonly installed server software in the filter.d directory.
Conclusion
Log rotation
The package installs a default logrotate configuration file (/etc/logrotate.d/fail2ban) that can be customised:
/var/log/fail2ban/*.log
{
copytruncate
maxage 365
missingok
monthly
notifempty
rotate 12
}
/var/log/fail2ban/*.log
- Sets the configuration scope for the subsequent section. The pattern matches all files (*) ending with the extension log in the /var/log/fail2ban/ directory.
copytruncate
- Copy the contents of the log file being rotated into a new file and then truncate the original log file.
maxage 365
- Remove log files older than 365 days.
missingok
- Do not consider it an error if a log file is missing.
monthly
- Perform a log rotation monthly.
notifempty
- Do not perform a log rotation on an empty log file.
rotate 12
- Perform 12 log rotations before older log files are removed.
Directory ownership and permissions
The configuration directory should be protected:
root@computer:~# chown --recursive root:adm /etc/fail2ban/ root@computer:~# chmod --recursive 0770 /etc/fail2ban/
The log directory should be protected:
root@computer:~# chown --recursive apache:adm /var/log/fail2ban/ root@computer:~# chmod --recursive 0750 /var/log/fail2ban/
Software reinitiation
Fail2ban is restarted when the configuration is done:
root@computer:~# systemctl restart fail2ban.service