Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: fail2ban configuration

  1. #1
    Join Date
    Mar 2008
    Beans
    33

    iptables configuration - limit module

    Hi everyone. I am having trouble getting fail2ban to start banning. I've pasted the config file here.

    The fail2ban-server is running, because I can see it when I run the "ps -e" command.

    My SSH server runs on port 443, so I have changed that in the ssh jail. (Not sure if it is better to edit it in this config file or in /etc/services file).

    I want fail2ban to simply block the offending IP address, so I added "action = action_". I am not sure what the different between "banaction" and "action" is.

    Finally, I have never touched "iptables" except to run "iptables -L" to see if fail2ban had banned the IP address I was purposely typing a failed password from.

    Also, I made sure that the file I am editing is "jail.local" not "jail.conf".

    Finally, it looks like fail2ban is being directed to correct log for ssh - "/var/log/auth.log".


    Thank you for anyone that takes the time to help me figure this out.
    Last edited by Stvnx7; February 26th, 2012 at 12:08 AM. Reason: Topic Changed

  2. #2
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    7,975

    Re: fail2ban configuration

    Howdy,

    Rather than fail2ban, you could just use a single rate limiting rule in iptables that will protect you against pretty much all brute force attacks:
    Code:
    # General new connection rate limiting for DOS and Brute Force protection
    iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
    KISS

  3. #3
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by HermanAB View Post
    Howdy,

    Rather than fail2ban, you could just use a single rate limiting rule in iptables that will protect you against pretty much all brute force attacks:
    Code:
    # General new connection rate limiting for DOS and Brute Force protection
    iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
    KISS
    I think I will implement this solution rather than fail2ban. I don't see the benefit of using another program when it is built into iptables.

    I need a how-to / guide on iptables so that I can understand what that rule is doing.

    However, I would still like to know why the fail2ban configuration seems to be wrong.

  4. #4
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    7,975

    Re: fail2ban configuration

    Just read the iptables man page about ten times. It will eventually make some sense.

  5. #5
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,582
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: fail2ban configuration

    Quote Originally Posted by HermanAB View Post
    Just read the iptables man page about ten times. It will eventually make some sense.

    Ha. Was that a joke?

  6. #6
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by kevdog View Post
    Ha. Was that a joke?
    Lol. I don't think it was a joke. But I am looking at the man page, also looking at the How-to on the Ubuntu wiki.

    I have a high level understanding of it, but need more.

    Guess I'll re-read.

  7. #7
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by HermanAB View Post
    Howdy,

    Rather than fail2ban, you could just use a single rate limiting rule in iptables that will protect you against pretty much all brute force attacks:
    Code:
    # General new connection rate limiting for DOS and Brute Force protection
    iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
    KISS
    Herman, I am trying to understand your rule-specification. I want to understand what I am doing so please tell me if my interpretation is correct.

    Assumption 1: Because you haven't specified a table, iptables will edit the default table, which is "filter"

    Assumption 2: Because you haven't specified a number after the "-I" command, it will insert the rule-specification as Rule 1.

    So therefore, you are editing the "INPUT" chain [or set of rules] in the "filter" table, and putting our new rule-specification as the first rule.

    Question 1: The "-p TCP" parameter specifies that the rule should apply to the TCP protocol. Why are we specifying TCP as the protocol?

    Question 1B: Would it be OK to change this to "-p all" so that it applies to all protocols? This seems to be the default, but I do not know what difference it makes, and if doing "-p all" would be more secure.

    The "-m state --state NEW" means that the packet has to open a new connection.

    The "-m limit --limit 30/minute" part specifies that the packet will continue to match at most 30 times per minute. After this limit is reached, the packet will no longer match.

    Question 2:I do not understand what "--limit-burst 5" actually does.

    The "-j ACCEPT" part says that if the packet matches our rule, then accept the packet. Question 3:what happens when our packet doesn't match our rule-specification? If this is the only rule-specification for my INPUT chain, then will iptables start ignoring packets from the offending IP after the limit is reached?

    Thanks for all the help!! I'm really excited to get this up and running. Once I understand this, I will want to further secure my computer, but one step at a time.

  8. #8
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    OK, I was trying to find an answer to the question that I posed above:

    "The "-j ACCEPT" part says that if the packet matches our rule, then accept the packet. Question 3:what happens when our packet doesn't match our rule-specification? If this is the only rule-specification for my INPUT chain, then will iptables start ignoring packets from the offending IP after the limit is reached?"

    I'm not at my computer at the moment (and SSH is not working), so I can't verify this, but it seems that the default policy for INPUT chain in "filter" table is set to ACCEPT. Should this be changed to DROP?

    Otherwise, the rule-specification above is not doing anything, right? If a packet matches my rule-specification, then "-j ACCEPT" means that the packet is accepted. If the packet does not match the rule-specification, i.e., it reaches the end of the INPUT chain, then it is still accepted by default.

    This leads me to believe that to configure iptables correctly, I need to change the default policy of INPUT chain to DROP.

    Any thoughts?
    Last edited by Stvnx7; February 24th, 2012 at 07:53 PM.

  9. #9
    Join Date
    Nov 2007
    Location
    Newry, Northern Ireland
    Beans
    1,258

    Re: fail2ban configuration

    As the computer is remote, you can avoid yourself becoming locked out by putting a rule at the end of the chain dropping all traffic and leaving the default policy as accept.

    This way you won't get locked out by an (accidental) sudo iptables -F.
    Can't think of anything profound or witty.
    My Blog: http://gonzothegeek.blogspot.co.uk/

  10. #10
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by spynappels View Post
    As the computer is remote, you can avoid yourself becoming locked out by putting a rule at the end of the chain dropping all traffic and leaving the default policy as accept.

    This way you won't get locked out by an (accidental) sudo iptables -F.
    I hadn't thought about what would happen if I did run "sudo iptables -F". Great catch, and a very simple solution.

    I was worried that I had missed something logically in HermanAB's rule-specifiction.

    Another solution, which I think is a bit more 'elegant' since it is still only one rule, is to use the limit module with the "!" flag and change the target to "-j DROP", so that the packet will not match unless it reaches the limit, and once the limit is reached, it will match and be dropped.

    Would this be the right implementation of that rule:

    "-m !limit --limit 30/minute -j DROP"

    I'm not sure if the "!" flag means "don't match until limit is reach" or if it means "ignore the limit module completely".

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •