Preventing Brute Force Attacks with Fail2Ban

If you have FTP or SSH server exposed to internet with static IP, then you may face issue of Brute Force Attack on your FTP or SSH server. In this article, we will learn how to secure our FTP or SSH server from Brute Force Attack

 

How will youcome to know that your server is under attack?

If you check your /var/log/auth or /var/log/secure you may see below kind of entries:

 

Apr 20 09:10:40 ftp sshd[4706]: Failed password for illegal user ing from <IP> port 56499 ssh2

Apr 20 09:10:42 ftp sshd[4708]: Illegal user ing from <IP>

Apr 20 09:10:42 ftp sshd[4708]: Failed password for illegal user ing from <IP> port 56663 ssh2

Apr 20 09:10:46 ftp sshd[4712]: Failed password for illegal user rocky from <IP> port 56989 ssh2

Apr 20 09:10:48 ftp sshd[4714]: Illegal user elis from <IP>

Apr 20 09:10:48 ftp sshd[4714]: Failed password for illegal user elis from <IP> port 57153 ssh2

Apr 20 09:10:50 ftp sshd[4716]: Illegal user kiw from <IP>

Apr 20 09:10:50 ftp sshd[4716]: Failed password for illegal user kiw from <IP>port 57328 ssh2

Apr 20 09:10:51 ftp sshd[4718]: Illegal user kiwi from <IP>

Apr 20 09:10:51 ftp sshd[4718]: Failed password for illegal user kiwi from <IP>port 57470 ssh2

Apr 20 09:10:53 ftp sshd[4720]: Illegal user mick from <IP>

Apr 20 09:10:53 ftp sshd[4720]: Failed password for illegal user mick from <IP> port 57646 ssh2

Apr 20 09:10:55 ftp sshd[4722]: Illegal user mick from <IP>

Apr 20 09:10:55 ftp sshd[4722]: Failed password for illegal user mick from <IP>port 57810 ssh2

 

If above kind of entries are there, then it means that your server is under brute force attack.

Here <IP> represents the attacker’s IP. Many times this IP gets changed or it is dynamic.

In above example, some attacker have tried brute force script against the server, which try to login with common username with common passwords. Also if this happened lot of time within short period then it can affect server or network performance too.

 

Solution:

To avoid this we must have some system in place, which will track login failures and if it happens by same IP for n number of time then system will block that IP for predefined period.

 

 

 

We can achieve this by using Fail2Ban

 

How To:

 

1.       Download Fail2Ban from below URL

http://download.fedora.redhat.com/pub/epel/5/i386/fail2ban-0.8.4-23.el5.noarch.rpm

 

2.       Install it using “rpm -ivh fail2ban-0.8.4-23.el5.noarch.rpm”

3.       Configuring Fail2Ban

Configuration Folder à /etc/fail2ban

Important Configuration Files à  jail.conf & fail2ban.conf

Action defined under “action.d” folder

Filters defined under “filter.d” folder

 

Do below configuration /etc/jail.conf for Blocking brute force attack on vsftpd server.

Search for [vsftpd]

Changed below directives:

[vsftpd]

enabled  = true

port     = ftp,ftp-data,ftps,ftps-data

filter   = vsftpd

logpath  = /var/log/vsftpd.log

maxretry = 3

bantime = 300

 

Please note that, here Fail2ban will monitor /var/log/vsftpd.log for authentication failure logs.

maxretry  à It will allow to try login 3 times. If 3rd time it fails then it will block the IP.

 

Restart Fail2Ban à /etc/init.d/fail2ban restart

 

Check /var/log/ fail2ban.log. You must be able to see

……….Jail ‘vsftpd’ started

………. Jail ‘ssh’ started

 

4.       Now try fake failure attempts on this FTP server from remote machine. When it fails 3rd time, it will automatically block the IP and in fail2ban.log, you will see below entry

2011-04-27 14:07:40,124 fail2ban.actions: WARNING [vsftpd] Ban <IP>

5.       Fail2Ban will work with SSH, SFTP, FTP, Apache, vsftpd, proftpd etc.

Neelesh Gurjar has written 122 articles

Leave a Reply