Fail2Ban (Debian)
This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian.
Basic Commands Cheat Sheet
Check Status
Show status of Fail2Ban and which jails are active:
fail2ban-client status
Show statistics of all active jails as a table:
fail2ban-client stats
Sample output:
║ ║ Filter ║ Actions Jail ║ Backend ╟─────────────╫─────────── ║ ║ cur │ tot ║ cur │ tot ═════════════════════╬══════════╬═════════════╬═══════════ apache-auth ║ polling ║ 35 │ 18985 ║ 42 │ 862 apache-botsearch ║ polling ║ 8 │ 12 ║ 4 │ 10 apache-noscript ║ polling ║ 49 │ 242 ║ 42 │ 57 sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 ═════════════════════╩══════════╩═════════════╩═══════════
Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips:
fail2ban-client status <jail> fail2ban-client status sshd
Sample output:
Status for the jail: sshd |- Filter | |- Currently failed: 187 | |- Total failed: 1719 | `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd `- Actions |- Currently banned: 735 |- Total banned: 966 `- Banned IP list: 1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ...
Here we see that banned were 594, but currently banned are none.
Show banned ip addresses and in which jail they are:
fail2ban-client banned
Examine a IP Address in More Detail
Show in which jails a given ip addresses are banned:
fail2ban-client banned <IP> [<IP> <IP>]
Show banned ip addresses for a given jail and also their release time:
fail2ban-client get <jail> banip --with-time
Filter for a given ip address if needed:
fail2ban-client get <jail> banip --with-time | grep <IP>
Manuell Adressen hinzufügen
Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen:
fail2ban-client set sshd banip <IP> fail2ban-client set sshd unbanip <IP>
Installation
apt-get install fail2ban
Konfiguration
Erweiterung der Konfiguration
Konfigurationsfiles im Lieferumfang:
/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Die o.g. Dateien sollten nicht angepasst werden, da sie beim nächsten Update evtl. wieder überschrieben werden.Stattdessen können folgende Dateien angelegt werden:
/etc/fail2ban/fail2ban.local /etc/fail2ban/fail2ban.d/* /etc/fail2ban/jail.local /etc/fail2ban/jail.d/*
Für die Erstellung der .local-Dateien können als Vorlage die jeweiligen .conf-Dateien verwendet werden.
Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben.
Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1
Finetuning
Bei Fehlermeldungen im Log:
Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth]
Erweiterung Parameter failregex in datei /etc/fail2ban/filter.d/sshd.conf um folgende Zeile:
^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$
Developing Fail2Ban Filters
How to Test Fail2Ban Filters?
Use program fail2ban-regex
Example:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Further Reading:
https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html
