Fail2ban
Naar navigatie springen
Naar zoeken springen
Fail2ban is a security tool designed to protect servers from brute-force attacks and other types of automated malicious activities:
Introduction
What it does
- Monitors Log Files: Fail2ban scans log files for specific patterns that indicate suspicious activity, such as failed login attempts or other anomalies
- Blocks IP Addresses: When it detects repeated failed attempts from a particular IP address, it can temporarily or permanently block that IP address using firewall rules (such as with iptables, nftables, or firewalld)
- Configurable: You can customize Fail2ban to monitor different services and define what constitutes "bad behavior." It can protect various services like SSH, FTP, HTTP, and more.
How it works
- Jails: Fail2ban uses "jails," which are configurations specifying which log files to monitor, what patterns to look for, and what actions to take. Each jail is associated with a particular service or application
- Filters: Filters are used within jails to define the patterns of failed attempts. These are often specified using regular expressions
- Actions: When a pattern is detected, Fail2ban can execute various actions, typically involving updating firewall rules to block the offending IP addresses.
Configuration
- Main Configuration File: /etc/fail2ban/jail.conf (though it's a good practice to create and modify /etc/fail2ban/jail.local to avoid overwriting the default settings)
- Filters Directory: /etc/fail2ban/filter.d/ contains filter definitions
- Actions Directory: /etc/fail2ban/action.d/ contains predefined actions for blocking IPs.
Benefits
- Flexible: Fail2ban can probably be configured for any network function that maintains a log file
- Makes WordPress security plugins superfluous? Would be nice if I can dump WordFence
- Efficient: Fail2ban has been written in Python, while the actual banning is (in our case) done by
iptables
. Using a low-level tool like iptables for filtering, is much more efficient than using WordPress plugins like WordFence - Temporary blocking: It's really nice that blocks can be temporary, so in case someone genuinely makes 20 mistakes in a row, or if a hacked IP address eventually gets unhacked, that they regain access.
Block WordPress login attempts
As mentioned, a jail is a combination of a log file, filters an actions. To monitor WordPress login attempts