Fail2ban

Uit De Vliegende Brigade
Naar navigatie springen Naar zoeken springen

Fail2ban is a security tool designed to protect servers from brute-force attacks and other types of automated malicious activities:

Introduction

What it does

  • Monitors Log Files: Fail2ban scans log files for specific patterns that indicate suspicious activity, such as failed login attempts or other anomalies
  • Blocks IP Addresses: When it detects repeated failed attempts from a particular IP address, it can temporarily or permanently block that IP address using firewall rules (such as with iptables, nftables, or firewalld)
  • Configurable: You can customize Fail2ban to monitor different services and define what constitutes "bad behavior." It can protect various services like SSH, FTP, HTTP, and more.

How it works

  • Jails: Fail2ban uses "jails," which are configurations specifying which log files to monitor, what patterns to look for, and what actions to take. Each jail is associated with a particular service or application
  • Filters: Filters are used within jails to define the patterns of failed attempts. These are often specified using regular expressions
  • Actions: When a pattern is detected, Fail2ban can execute various actions, typically involving updating firewall rules to block the offending IP addresses.

Configuration

  • Main Configuration File: /etc/fail2ban/jail.conf (though it's a good practice to create and modify /etc/fail2ban/jail.local to avoid overwriting the default settings)
  • Filters Directory: /etc/fail2ban/filter.d/ contains filter definitions
  • Actions Directory: /etc/fail2ban/action.d/ contains predefined actions for blocking IPs.

Benefits

  • Flexible: Fail2ban can probably be configured for any network function that maintains a log file
  • Makes WordPress security plugins superfluous? Would be nice if I can dump WordFence
  • Efficient: Fail2ban has been written in Python, while the actual banning is (in our case) done by iptables. Using a low-level tool like iptables for filtering, is much more efficient than using WordPress plugins like WordFence
  • Temporary blocking: It's really nice that blocks can be temporary, so in case someone genuinely makes 20 mistakes in a row, or if a hacked IP address eventually gets unhacked, that they regain access.

Block WordPress login attempts

As mentioned, a jail is a combination of a log file, filters an actions. To monitor WordPress login attempts

Sources