GNU/Linux project - Linux package fail2ban

Article Index

Page 3 of 3

 

Fail2ban is a log parsing linux application that goes through your server logs files to check failed login attempts and automatically add new iptables rule to block the IP address of the attacker. fail2ban can be configured with respect the banned time, the checking period of time, the iptable chain to affect as well as  which TCP/UDP ports to blocks in addition. Has been initially used for ssh attacks. Fail2ban can also alert you through email that an attack is occurring.

How to install: apt-get install fail2ban (by default the ssh jail is enabled)

How to configure: 

  • nano /etc/fail2ban/jail.local  and add the following :
    [nextcloud]
    enabled     = true
    port     = http,https
    filter     = nextcloud
    logpath     = ..../nextcloud-data/nextcloud.log
    maxretry     = 6
  • nano /etc/fail2ban/filter.d/nextcloud.conf  and add the following :
    [INCLUDES]
    before = common.conf
    [Definition]
    failregex = Login failed.*Remote IP.*'<HOST>'
    ignoreregex =
  • nano /etc/fail2ban/jail.d/nextcloud.local  and add the following :
    [nextcloud]
    enabled = true
    filter  = nextcloud
    action =iptables-allports[name=nextcloud, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain=FORWARD]
    logpath = /mnt/hdd_nextcloud/kvm_nextcloud/nextcloud-data/nextcloud.log
    findtime = 600

In short for any new rule you must create a filter (placed at /filter.d) a jail (placed at jail.d) and update the jail.local file with the rules. Pay attention on how to create the regular expression (online tool here !!). Check your log file, where the remote IP address is placed. fail2ban parses log file checking for certain text ("Login failed") after which the attacker's IP address is logged. After the addition of a new rule  "service fail2ban stop""service fail2ban start".

  • check its status:fail2ban-client nextcloud status  or fail2ban-client status
  • unbann any IP blockedfail2ban-client set nextcloud unbanip 150.140.0.0
  • regularly check if fail2ban is there:  iptables -nL -v
  • customize sendmail with action = %(action_mw)s to receive email notification when an IP is banned (you may whitelist some IPs to avoid troubles with internal IPs)

 

fail2ban is an essential tool for protecting your server.