Antony's pages of stuff

F*@#ing Linux

Things I have found out about whilst trying to use Ubuntu UFW with fail2ban.

What is a fail2ban -?

Fail2Ban reads log files such as the /var/log/auth.log file that contain password authorisation failure reports and bans the corresponding IP addresses using firewall rules.

I am a just dabbling with Linux and found lots of attempts to brute force ssh into my server. Below is a summary of my fail2ban install on Ubuntu 16.10. If you need more info use fail2ban Manual

Install using:

sudo apt-get update && sudo apt-get install fail2ban

If you've opened the port 22 on your ufw firewall fail2ban will ban the clients that try to connect more than 6 times without success, it will not break your firewall.

The fail2ban jail file is in the jail.conf file in /etc/fail2ban/ but this file may change with updates so you should make use of the jail.local to create the overriding config. The jail.conf file can be overridden by the file named ".local". The .conf file is read first, then .local, with later settings overriding earlier rules.

sudo vi /etc/fail2ban/jail.local

The jail.local can also be used for whitelisting using an ignoreip rule as a space separated list.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
# This will ignore connection coming from common private networks.
# Note that local connections can come from other than just 127.0.0.1, so use CIDR 
# Local, BT, Telefonica UK Limited (02) and telent
# BT IP Ranges 86.128.0.0 to 86.191.255.255 as 86.128.0.0/10
# Telefonica IP Ranges 82.132.128.0 to 82.132.255.255 as 82.132.128.0/10
# telent IP Ranges 137.221.0.0 to 137.221.255.255 as 137.221.0.0/16

ignoreip = 127.0.0.0/8 192.168.0.0/16 86.128.0.0/10 82.132.128.0/17 137.221.0.0/16

sudo /etc/init.d/fail2ban restart

2016-12-08 17:37:33,212 fail2ban.actions        [15557]: NOTICE  [sshd] 151.80.42.102 already banned
2016-12-08 17:37:34,214 fail2ban.actions        [15557]: NOTICE  [sshd] Ban 5.254.97.103
2016-12-08 17:37:34,439 fail2ban.actions        [15557]: NOTICE  [sshd] Ban 106.57.37.248
2016-12-08 17:37:34,663 fail2ban.actions        [15557]: NOTICE  [sshd] Ban 98.14.176.92
2016-12-08 19:59:36,422 fail2ban.filter         [15557]: INFO    [sshd] Ignore 192.168.1.93 by ip   
2016-12-08 19:59:38,648 fail2ban.filter         [15557]: INFO    [sshd] Ignore 192.168.1.93 by ip
2016-12-09 06:25:34,130 fail2ban.filter         [15557]: INFO    [sshd] Ignore 192.168.1.93 by ip

sudo fail2ban-client -i

then in interactive mode type:

status sshd

fail2ban> status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   151.80.42.102 178.166.33.83

type "exit" to exit

If you need to un ban an IP then type in fail2ban interactive mode:

set ssh unbanip 178.166.33.83

you will get the ip address returned you have just un-banned

178.166.33.83

it just means 178.166.33.83 is no longer in ban list.

Below here is an example when I blocked myself when testing. First you have to find your external IP address and test if its in your fail2ban log

First I tried examples to find external IP by using curl, dig and host

user@geekstuff:~$ curl ipinfo.io/ip
	217.43.200.206
user@geekstuff:~$ dig +short antmonkeyonjuice.ddns.net
217.43.200.206
user@geekstuff:~$ host antmonkeyonjuice.ddns.net
antmonkeyonjuice.ddns.net has address 217.43.200.206

Then check whether your address has been banned here you can see the fail activity then ban, unban and re-ban relative to the nginx-noscript jail.


user@geekstuff:~$ sudo grep '217.43' /var/log/fail2ban.log*
/var/log/fail2ban.log.1:2018-10-24 16:04:42,076 fail2ban.filter         [1500]: INFO    [nginx-noscript] Found 217.43.200.206 - 2018-10-24 16:04:41
/var/log/fail2ban.log.1:2018-10-24 16:04:42,077 fail2ban.filter         [1500]: INFO    [nginx-noscript] Found 217.43.200.206 - 2018-10-24 16:04:41
/var/log/fail2ban.log.1:2018-10-24 16:04:50,404 fail2ban.filter         [1500]: INFO    [nginx-noscript] Found 217.43.200.206 - 2018-10-24 16:04:50
/var/log/fail2ban.log.1:2018-10-24 16:04:50,751 fail2ban.actions        [1500]: NOTICE  [nginx-noscript] Ban 217.43.200.206
/var/log/fail2ban.log.1:2018-10-27 09:31:03,619 fail2ban.actions        [1500]: NOTICE  [nginx-noscript] Unban 217.43.200.206
/var/log/fail2ban.log.1:2018-10-27 09:33:56,939 fail2ban.actions        [1326]: NOTICE  [nginx-noscript] Restore Ban 217.43.200.206

Now we know a ban is active and which jail it is in.

user@geekstuff:~$ sudo fail2ban-client set nginx-noscript unbanip 217.43.200.206
	217.43.200.206

You may be wondering how to change the bantime findtime and frequency of attempts. This is done in the jail.local setup. The ban default is ban for 600 seconds (10 mins I have increased the ban times by adding the following into the jail.local file

bantime  = 172800 ;48 hours
findtime  = 86400 ;1 day
maxretry = 3

The Ultimate ban is forever and by using -1 as the following bantime in the jail.local file a forever can be achieved

bantime  = -1 ;Forever
findtime  = 86400 ;1 day
maxretry = 3

You also may be interested in who else is getting banned. The following commands can be used to filter for notice of ban and to count recent banned IPs

~$ history | tail
    1992  cat /var/log/fail2ban.log | grep "NOTICE"
     1993  cat /var/log/fail2ban.log | grep -c "NOTICE"
       1995  cat /var/log/fail2ban.log | grep "nginx"
        1996  cat /var/log/fail2ban.log | grep "nginx" | grep "NOTICE"

This uses cat of the log output piped to grep filter using search criteria as NOTICE.
Note notice of ban is upper case and adding -c to grep gives a count of the search criteria.