Installing free2ban on Ubuntu

Posted on June 9, 2010 by billy

First thing to do is install it from the repository, I’m making the assumption that you are already connected to the internet.

sudo apt-get install fail2ban

The default configuration is configured in the file /etc/fail2ban/jail.conf it’s suggested at the top of the file that we create a file called /etc/fail2ban/jail.local that overrides the default file, as the original file will get overwriten when the package gets upgraded over time.

Use the original file as a templace to jail.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

The only service that has external exposure past my firewall is ssh, so as you can see, that is the only service that’s enabled. I’ve also ignored my own private class B network (ignoreip) since that doesn’t get routed past my home router anyway.

I’ve also changed the bantime to 6 hours, I think I’ll keep an eye on my log files for a while. Might be interesting reading (for me anyway) to see where these attempts are coming from (mostly China) is my guess so it will be good to see if my theories hold out :-)

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.15
# bantime = 600
# changed to 6hr ban
bantime = 21600
maxretry = 3

# “backend” specifies the backend used to get files modification. Available
# options are “gamin”, “polling” and “auto”.
# yoh: For some reason Debian shipped python-gamin didn’t work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional ‘mail’.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action. To change, just override value of ‘action’ with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

A quick a dirty bash script to collect the bans in a nice list so that I can check them later.

# Written By W.Dickson
# 13th June 2010
# Filename : daily_ssh_bans.sh
# Located : $HOME/bin
#
# Quick and dirty bash file to be used with the fail2ban package.
#
# It greps the fail2ban.log file and appends the bans to a
# file called ssh_bans.txt in the directory of the user
# running the script.
#
# The cron below run this script every day at 10:00
#
# 00 10 * * * $HOME/bin/daily_ssh_bans.sh > /dev/null
#
# Exit on error
set -o errexit
export PATH=/usr/local/bin:/usr/bin:/bin

cat /var/log/fail2ban.log | grep Ban >> $HOME/ssh_bans.txt

References:

http://www.howtoforge.com/fail2ban_debian_etch
http://ubuntuforums.org/showthread.php?t=1397975
http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal
http://en.wikipedia.org/wiki/Fail2ban

About billy

Senior IT Technician working in Edinburgh, Scotland.
This entry was posted in Computing Tips, Linux and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>