Fail2ban installation and configuration (Debian, repository)

fail2ban.local

A file is created to contain the general configuration of Fail2ban:

root@computer:~# touch /etc/fail2ban/fail2ban.local

Fail2ban requires little general configuration to function.

[Definition]

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

dbpurgeage = 86400

loglevel = NOTICE

logtarget = /var/log/fail2ban/fail2ban.log

pidfile = /run/fail2ban/fail2ban.pid

socket = /run/fail2ban/fail2ban.socket

syslogsocket = auto

[Definition]

Sets the configuration scope for the subsequent directives to Definition which is the default scope for general configuration of Fail2ban.

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

The database file of Fail2ban which stores data (e.g. bannings) persistently during reboots.

dbpurgeage = 86400

The rate of purgings of the database file of Fail2ban which is specified in seconds.

logtarget = /var/log/fail2ban/fail2ban.log

The log file of Fail2ban.

pidfile = /run/fail2ban/fail2ban.pid

The PID file of Fail2ban.

socket = /run/fail2ban/fail2ban.socket

The socket file of Fail2ban.

syslogsocket = auto

The socket file of syslog. The default is auto but it must be specified so that Fail2ban does not complain. It is not used in this configuration as logtarget is set to a file and not to SYSLOG.

jail.local

A file is created to contain the intrusion detection and prevention configuration of Fail2ban:

root@computer:~# touch /etc/fail2ban/jail.local

Actions and filters define jails which are used to prevent detected intruders from doing harm to the system.

[DEFAULT]

action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

backend = auto

banaction = iptables-multiport

bantime = 86400

chain = INPUT

enabled = true

filter = %(__name__)s

findtime = 600

ignoreip = 127.0.0.1/8

logencoding = auto

maxretry = 3

port = 0:65535

protocol = tcp

usedns = warn

[DEFAULT]

Sets the configuration scope for the subsequent directives DEFAULT which applies to all jails by default.

action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

The action to perform during bannings.

backend = auto

The method of receiving log file notifications.

banaction = iptables-multiport

The name of the action in the action.d directory. This directive is a variable for the action directive.

bantime = 86400

The duration of bans in seconds. This directive is a variable for the action directive.

chain = INPUT

The iptables chain type. This directive is a variable for the action directive.

enabled = true

Enables the jail.

filter = %(__name__)s

The name of the filter in the filter.d directory. Jails are conventionally named after the service they monitor. Since there can only be one filter per jail it makes sense to name the configuration scope of a jail after its filter.

findtime = 600

The duration (in seconds) of time before authentication attempts are reset for individual users who have not reached maxretry and have thus not been banned.

ignoreip = 127.0.0.1/8

The IP addresses/CIDR masks/DNS hosts excluded from jails.

logencoding = auto

The character encoding of the log file.

maxretry = 3

The number of authentication attempts before banning.

port = 0:65535

The port (range) from which to ban offenders. This directive is a variable for the action directive.

protocol = tcp

The protocol from which to ban offenders. This directive is a variable for the action directive.

usedns = warn

The attitude towards DNS host names in log files.

Jails can be declared in the jail.local file or in the jail.d directory.

Most servers will have an SSH server installed. The following is an example of a jail configuration:

[sshd]

logpath = /var/log/auth.log

port = 22

[sshd]

Names the jail sshd. Since filter was set to __name__ in DEFAULT it means that the jail's name is also the name of its filter. There is a filter by the name sshd in the filter.d directory.

logpath = /var/log/auth.log

The log path of the software to monitor. The applied filter will process the log file.

port = 22

The port (range) of the software to monitor. It overrides the value set to port in DEFAULT.

There are tens of filters available for commonly installed server software in the filter.d directory.

Log rotation

The package installs a default logrotate configuration file (/etc/logrotate.d/fail2ban) that can be customised:

/var/log/fail2ban/*.log
{
	copytruncate
	maxage 365
	missingok
	monthly
	notifempty
	rotate 12
}

/var/log/fail2ban/*.log

Sets the configuration scope for the subsequent section. The pattern matches all files (*) ending with the extension log in the /var/log/fail2ban/ directory.

copytruncate

Copy the contents of the log file being rotated into a new file and then truncate the original log file.

maxage 365

Remove log files older than 365 days.

missingok

Do not consider it an error if a log file is missing.

monthly

Perform a log rotation monthly.

notifempty

Do not perform a log rotation on an empty log file.

rotate 12

Perform 12 log rotations before older log files are removed.

Directory ownership and permissions

The configuration directory should be protected:

root@computer:~# chown --recursive root:adm /etc/fail2ban/
root@computer:~# chmod --recursive 0770 /etc/fail2ban/

The log directory should be protected:

root@computer:~# chown --recursive apache:adm /var/log/fail2ban/
root@computer:~# chmod --recursive 0750 /var/log/fail2ban/

Software reinitiation

Fail2ban is restarted when the configuration is done:

root@computer:~# systemctl restart fail2ban.service