Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account.
Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.
This article describes how to install and configure Fail2ban on Ubuntu 20.04.
低于 ubuntu 20.04 的系统,可以参考 ubuntu 16.04防止SSH暴力登录攻击 。
Installing Fail2ban on Ubuntu
The Fail2ban package is included in the default Ubuntu 20.04 repositories. To install it, enter the following command as root or user with sudo privileges :
|
1 2 3 |
$ sudo apt update $ sudo apt install fail2ban |
Once the installation is completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:
|
1 |
$ sudo systemctl status fail2ban |
The output will look like this:
|
1 2 3 4 5 6 7 8 9 |
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago Docs: man:fail2ban(1) Main PID: 1251 (f2b/server) Tasks: 5 (limit: 1079) Memory: 13.8M CGroup: /system.slice/fail2ban.service └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start |
That’s it. At this point, you have Fail2Ban running on your Ubuntu server.
Fail2ban Configuration
The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.
Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:
/etc/fail2ban/jail.conf/etc/fail2ban/jail.d/*.conf/etc/fail2ban/jail.local/etc/fail2ban/jail.d/*.local
For most users, the easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. More advanced users can build a .localconfiguration file from scratch. The .local file doesn’t have to include all settings from the corresponding .conf file, only those you want to override.
Create a .local configuration file from the default jail.conf file:
|
1 |
$ sudo cp /etc/fail2ban/jail.{conf,local} |
To start configuring the Fail2ban server open, the jail.local file with your text editor :
|
1 |
$ sudo nano /etc/fail2ban/jail.local |
The file includes comments describing what each configuration option does. In this example, we’ll change the basic settings.
Whitelist IP Addresses
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. Here you should add your local PC IP address and all other machines that you want to whitelist.
Uncomment the line starting with ignoreip and add your IP addresses separated by space:
/etc/fail2ban/jail.local
|
1 |
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24 |
Ban Settings
The values of bantime, findtime, and maxretry options define the ban time and ban conditions.
bantime is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the bantime value is set to 10 minutes. Generally, most users will want to set a longer ban time. Change the value to your liking:
/etc/fail2ban/jail.local
|
1 |
bantime = 1d |
To permanently ban the IP use a negative number.
findtime is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry, see below), those failures must occur within the findtime duration.
/etc/fail2ban/jail.local
|
1 2 |
# 这个时间段内超过规定次数会被ban掉 findtime = 10m |
maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.
/etc/fail2ban/jail.local
|
1 |
maxretry = 5 |
Email Notifications
Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action, which only bans the IP to %(action_mw)s, as shown below:
/etc/fail2ban/jail.local
|
1 |
action = %(action_mw)s |
%(action_mw)s bans the offending IP and sends an email with a whois report. If you want to include the relevant logs in the email, set the action to %(action_mwl)s.
You can also adjust the sending and receiving email addresses:
/etc/fail2ban/jail.local
|
1 2 |
destemail = admin@linuxize.com sender = root@linuxize.com |
Fail2ban Jails
Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.
By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:
/etc/fail2ban/jail.local
|
1 2 3 4 5 |
[proftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s backend = %(proftpd_backend)s |
The settings we discussed in the previous section, can be set per jail. Here is an example:
/etc/fail2ban/jail.local
|
1 2 3 4 5 6 |
[sshd] enabled = true maxretry = 3 findtime = 1d bantime = 4w ignoreip = 127.0.0.1/8 23.34.45.56 |
The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with same name as the jail. If you have custom setup and experience with regular expressions you can fine tune the filters.
Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:
|
1 |
$ sudo systemctl restart fail2ban |
Fail2ban Client
Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.
To view all available options, invoke the command with the -h option:
|
1 |
$ fail2ban-client -h |
This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:
-
Check the jail status:
1$ sudo fail2ban-client status sshd -
Unban an IP:
1$ sudo fail2ban-client set sshd unbanip 23.34.45.56 -
Ban an IP:
1$ sudo fail2ban-client set sshd banip 23.34.45.56
Conclusion
We’ve shown you how to install and configure Fail2ban on Ubuntu 20.04.
For more information on this topic, visit the Fail2ban documentation .
If you have questions, feel free to leave a comment below.
注意:如果服务器上启用了 UFW 防火墙,则几乎必然出现 Fail2ban 无法阻止攻击者 IP 的情况。
尽管 Fail2ban 已经提示阻止用户访问。但是由于 iptables 的顺序问题,根本不起作用,依旧在 /var/log/auth.log 中观察到不断的访问尝试。
解决方法如下:
|
1 |
$ sudo vim /etc/fail2ban/jail.local |
将
|
1 2 |
banaction = iptables-multiport banaction_allports = iptables-allports |
更改为
|
1 2 |
banaction = ufw banaction_allports = ufw |
防火墙规则要求通过 UFW 进行设置。
重新载修改后的配置信息
|
1 |
$ sudo fail2ban-client reload |
默认情况下,执行如下命令后:
|
1 2 3 |
$ sudo systemctl enable ufw $ sudo ufw enable |
UFW 服务器应该随着服务器重启自动启动,但是却经常没有启动,尤其是 ubuntu 20.04 。
参考 Fix ufw service not loading after a reboot 调整。
默认情况下,Fail2ban的配置是没办法阻止用户名尝试的,因此,我们需要新增如下配置才能解决问题。
First, define the filter for invalid users in /etc/fail2ban/filter.d/sshd-invaliduser.conf:
|
1 2 3 4 5 6 7 8 9 10 11 |
[INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd |
Then enable it in /etc/fail2ban/jail.local:
|
1 2 3 4 5 6 |
[sshd-invaliduser] enabled = true maxretry = 1 port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s |
默认情况下,Fail2ban的配置是没办法阻止root登陆尝试的,因此,我们需要新增如下配置才能解决问题。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$ ignoreregex = [Init] maxlines = 10 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd |
Then enable it in /etc/fail2ban/jail.local:
|
1 2 3 4 5 6 |
[sshd-ban-root] enabled = true maxretry = 1 port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s |
移除被禁止访问的IP
我们自己操作的时候,可能会把自己给禁止访问,此时需要手工从禁止列表中移除某些特定的IP
|
1 |
$ sudo fail2ban-client unban xx.xx.xx.xx |
参考链接
- How to Install and Configure Fail2ban on Ubuntu 20.04
- ubuntu 16.04防止SSH暴力登录攻击
- Ubuntu:使用Fail2ban防止暴力破解SSH等服务
- UFW与fail2ban结合使用时的设置以及fail2ban的过滤器设置
- lightdm通过systemd控制开机自启动
- Fix ufw service not loading after a reboot
- Fix ufw service not loading after a reboot
- Fail2ban MANUAL 0 8
- Fail2Ban or DenyHosts to block invalid username SSH login attempts
- Fail2Ban: ban every root login attempt
- How to Unban an IP properly with Fail2Ban