Fail2ban
Encyclopedia
Fail2ban is an intrusion prevention framework written in the Python
programming language. It is able to run on POSIX
systems that have an interface to a packet-control system or firewall installed locally (for example, iptables
or TCP Wrapper
).
es that may belong to hosts
that are trying to breach the system's security. It determines the hosts to be blocked by monitoring log file
s (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded
by malicious connections, as well as reducing the likelihood of a successful dictionary attack
.
Fail2ban can perform multiple actions whenever an abusive IP is detected: update Netfilter/iptables
firewall rules, or alternatively TCP Wrapper
's hosts.deny table, to reject an abuser's IP address; email notifications; or any user-defined action that can be carried out by a Python script.
The standard configuration ships with filters for Apache
, Lighttpd
, sshd
, vsftpd
, qmail
, Postfix
and Courier Mail Server
. Filters are defined by Python regexes, which may be conveniently customized by an administrator familiar with regular expressions. A combination of a filter and an action is known as a "jail", and is what causes a malicious host to be blocked from accessing specified network services. As well as the examples that are distributed with the software, a "jail" may be created for any network-facing process that creates a log file of access
There is no ipv6 support. If your provider automatically set it up, fail2ban will not work.
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
programming language. It is able to run on POSIX
POSIX
POSIX , an acronym for "Portable Operating System Interface", is a family of standards specified by the IEEE for maintaining compatibility between operating systems...
systems that have an interface to a packet-control system or firewall installed locally (for example, iptables
Iptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
or TCP Wrapper
TCP Wrapper
TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on operating systems such as Linux or BSD...
).
Functionality
Fail2ban operates by blocking selected IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es that may belong to hosts
Host (network)
A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address....
that are trying to breach the system's security. It determines the hosts to be blocked by monitoring log file
Log file
The term log file can refer to:*Text saved by a computer operating system to recored its activities, such as by the Unix syslog facility*Output produced by a data loggerAlso see Wikibooks chapter...
s (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
by malicious connections, as well as reducing the likelihood of a successful dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
.
Fail2ban can perform multiple actions whenever an abusive IP is detected: update Netfilter/iptables
Netfilter/iptables
Netfilter is a framework that provides hook handling within the Linux kernel for intercepting and manipulating network packets. Put more concretely, Netfilter is invoked, for example, by the packet reception and send routines from/to network interfaces...
firewall rules, or alternatively TCP Wrapper
TCP Wrapper
TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on operating systems such as Linux or BSD...
's hosts.deny table, to reject an abuser's IP address; email notifications; or any user-defined action that can be carried out by a Python script.
The standard configuration ships with filters for Apache
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
, Lighttpd
Lighttpd
lighttpd is an open-source web server more optimized for speed-critical environments than common products while remaining standards-compliant, secure and flexible...
, sshd
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
, vsftpd
Vsftpd
vsftpd, which stands for "Very Secure FTP Daemon", is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License...
, qmail
Qmail
qmail is a mail transfer agent that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program...
, Postfix
Postfix (software)
In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
and Courier Mail Server
Courier Mail Server
The Courier mail server is a mail transfer agent server that provides ESMTP, IMAP, POP3, SMAP, webmail, and mailing list services with individual components. It is best known for its IMAP server component....
. Filters are defined by Python regexes, which may be conveniently customized by an administrator familiar with regular expressions. A combination of a filter and an action is known as a "jail", and is what causes a malicious host to be blocked from accessing specified network services. As well as the examples that are distributed with the software, a "jail" may be created for any network-facing process that creates a log file of access
Where it fails
Fail2ban fails to protect against a distributed brute force attack.There is no ipv6 support. If your provider automatically set it up, fail2ban will not work.
See also
- DenyHostsDenyHostsDenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses...
. "Fail2ban is similar to DenyHosts ... but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny." - Stockade (software)Stockade (software)Stockade is a TCP-layer blocking tool written in C++. It denies TCP/IP access to registered IP addresses by using the ipfw packet filter. It targets spam prevention, but may also be used against other attackers...
, a rate-limiting approach to spam mitigation. - OSSECOSSECOSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
, an Open Source Host-based intrusion detection system.
External links
Articles highlighting Fail2ban
- PC Professionell: "Fail2ban - Sicherheit für Linux-Server"
- Gazeta IT: "Obrona przed namiętnymi nieletnimi"
- "Tip of the trade: fail2ban"
- howtoforge: "Preventing Brute Force Attacks With Fail2ban On Debian Etch"
- howtoforge: "Preventing Brute Force Attacks With Fail2ban On OpenSUSE 10.3"
- Art Of The Web: "Fail2ban HOWTO"
- Debian Administration: "Keeping SSH access secure
- Debian Package a Day: "Fail2ban: an enemy of script-kiddies"
- Defending against brute force ssh attacks
- Linux Magazin: "Unbestechlicher Türsteher"