User Tools

Site Tools



Keeping up with the threads from the Internet is very difficult and time consuming. Therefore the right tools are essential to protect your system and keeping the buggyman out. The highest protection is offered by systems that are pro-active thus protecting from attacks that you not necessarily know anything about. Cutting the attackers off before they can launch mayhem on to you the better your security becomes.

In almost any attack, probing is the first phase, and this is where we can be pro-active. In the log files I can very easily see a malicious user/bot probing for an attack vector but when he/she/it launches the attack (fx on a 0-day vulnerability) I've lost big time, I simply wouldn't know if my system has been compromised.

I've found that this is where a simple tool like fail2ban becomes handy. All it does is looking into log files searching for attack patterns and if the thresholds are reached blocking out the probing IP address with iptables (on Linux). This way I don't need to know anything about security vulnerabilities because the attacker is stopped before launching anything. fail2ban is a dynamic tool which means that an IP address is only blocked for a short period of time, so when a legitimate user tries to reach the resource he/she is allowed in.

When this is said it is of course still your responsibility to keep your system up to date and configured sensible. Not all attacks needs probing and thus fail2ban will not help you out.


Install fail2ban:

sudo apt-get install fail2ban

This will get the application on the system and you will find the configuration files in /etc/fail2ban.

You will find a file called jail.conf and a directory called filter.d. jail.conf is sort of a combination of a template and default settings. What you need to do is take the parts you need and put them in a file called jail.local. This way you wouldn't loose configuration when upgrading fail2ban.

The filter.d directory contains search filters that we need to identify attack patterns in the log files. Out-of-the-box fail2ban contains pretty much what I need. I have however added one more (apache-noscript-tdd) to counter generic probing which seem to be very common in my log files.

What you have to do is activating fail2ban only for the services you have on your system. There is no point in looking for an imap attack if that service is not running on your system.

Your can use fail.conf as a template and build a jail.local with what you need to look for. jail.local supersedes jail.conf. Settings represented in both files, only the settings in jail.local will count.

You can configure default settings and overwrite them under each section specified for each service. You may need to have a more aggressive or more loose threshold depending on your services and how they are used.

There are three actions on violations:

"action_" = ban only
"action_mw" = ban & send an e-mail with whois report to the destemail
"action_mwl" = ban & send an e-mail with whois report and relevant log lines

Which action you choose is configured in the parameter “action”. destemail is the recipient of the alerts.



# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 600
maxretry = 3

mta = sendmail

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = domingo

# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s


enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4


enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3


enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error_log
maxretry = 3


enabled = true
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error_log
maxretry = 3


enabled = true
port    = http
filter  = apache-noscript-tdd
logpath = /var/log/apache*/*error_log
maxretry = 3


enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/pure-ftpd/pure-ftpd.log
maxretry = 3


# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 658 $


# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat):

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex = .*(robots.txt|favicon.ico)
indexes/fail2ban.txt · Last modified: d/m/Y H:i by domingo