Fail2ban

Last updated
Fail2ban
Original author(s) Cyril Jaquier
Initial releaseOctober 7, 2004;19 years ago (2004-10-07)
Stable release
1.0.2 [1] / 9 November 2022;17 months ago (9 November 2022)
Repository
Written in Python
Platform POSIX
Type Intrusion prevention
License GNU GPL v2
Website www.fail2ban.org   OOjs UI icon edit-ltr-progressive.svg

Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. [2] It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper. [3]

Contents

Functionality

A screenshot of Fail2ban, demonstrating its ability to ban IP addresses Fail2ban screenshot.jpg
A screenshot of Fail2ban, demonstrating its ability to ban IP addresses

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. [4] Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. It includes support for both IPv4 and IPv6. [5] [6] Optionally longer bans can be custom-configured for "recidivist" abusers that keep coming back. [2] Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

Fail2ban can perform multiple actions whenever an abusive IP address is detected: [7] update Netfilter/iptables or PF firewall rules, TCP Wrapper's hosts.deny table, to reject an abuser's IP address; email notifications; or any user-defined action that can be carried out by a Python script.

The standard configuration ships with popular filters, including Apache, Lighttpd, sshd, vsftpd, qmail, Postfix and Courier Mail Server. [8] [9] Filters are defined by Python regexes, which may be conveniently customized by an administrator familiar with regular expressions. [2] A combination of a filter and an action is known as a "jail" and is what causes a malicious host to be blocked from accessing specified network services. [2] As well as the examples that are distributed with the software, a "jail" may be created for any network-facing process that creates a log file of access. [10]

Fail2ban is similar to DenyHosts [...] but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny.

Falko Timme [11]

Integrations

Fail2ban can be integrated with many APIs, including blocklist.de and AbuseIPDB. [12] [13]

Shortcomings

See also

Related Research Articles

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

IP address blocking or IP banning is a configuration of a network service that blocks requests from hosts with certain IP addresses. IP address blocking is commonly used to protect against brute force attacks and to prevent access by a disruptive address. It can also be used to restrict access to or from a particular geographic area; for example, syndicating content to a specific region through the use of Internet geolocation.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, containing the hostnames and address of hosts as contributed for inclusion by member organizations. The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic hostname resolution in the rapidly growing network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, configurable often as part of facilities such as the Name Service Switch as either the primary method or as a fallback method.

TCP Wrappers is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

<span class="mw-page-title-main">PeerGuardian</span> Free and open source program developed by Phoenix Labs

PeerGuardian is a free and open source program developed by Phoenix Labs (software). It is capable of blocking incoming and outgoing connections based on IP blacklists. The aim of its use was to block peers on the same torrent download from any visibility of your own peer connection using IP lists. The system is also capable of blocking custom ranges, depending upon user preferences.

Netlink is a socket family used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets available on certain Unix-like operating systems, including its original incarnation as a Linux kernel interface, as well as in the form of a later implementation on FreeBSD. Similarly to the Unix domain sockets, and unlike INET sockets, Netlink communication cannot traverse host boundaries. However, while the Unix domain sockets use the file system namespace, Netlink sockets are usually addressed by process identifiers (PIDs).

DenyHosts is a log-based intrusion-prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python Regular Expression Debugger.

<span class="mw-page-title-main">NuFW</span>

NuFW is a software package that extends Netfilter, the Linux kernel-internal packet filtering firewall module. NuFW adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance. NuFW has been restarted by the FFI and renamed into UFWI.

IPVS implements transport-layer load balancing, usually called Layer 4 LAN switching, as part of the Linux kernel. It's configured via the user-space utility ipvsadm(8) tool.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

Stockade is a TCP-layer blocking tool written in C++. It denies TCP/IP access to registered IP addresses by using the ipfw packet filter. It targets spam prevention, but may also be used against other attackers

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

<span class="mw-page-title-main">IPFire</span> Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

References

  1. "Release 1.0.2". 9 November 2022. Retrieved 11 November 2022.
  2. 1 2 3 4 Bledsoe, Greg (2016-01-14). "Server Hardening | Linux Journal". Linux Journal . Retrieved 2018-09-22.
  3. Jordan, Jeff (2015-06-16). "How to protect your GNU/Linux computer from remote attacks with Fail2ban". Free Software Magazine . Retrieved 2018-09-22.
  4. Van Impe, Koen (2015-12-09). "Defending Against Apache Web Server DDoS Attacks". IBM's Security Intelligence. Retrieved 2018-09-22.
  5. G. Brester, Sergey (2017-08-09). "0.10.0 (2017/08/09) - long-awaited 0.10th version". GitHub . Retrieved 2018-09-22.
  6. Aleksandersen, Daniel (2016-05-31). "IPv6 support finally arrive in Fail2Ban 0.10". Ctrl blog. Retrieved 2018-09-22.
  7. ducea.com (2006-07-03). "Using Fail2Ban to Block Brute Force Attacks".
  8. "fail2ban/config/filter.d". GitHub .
  9. Wallen, Jack (2016-12-23). "How to protect secure shell on CentOS 7 with Fail2ban". TechRepublic . Retrieved 2018-09-22.
  10. Casey, Brad (2016-02-17). "Three server security tools you might not know". TechTarget . Archived from the original on 2016-02-17. Retrieved 2018-09-22.
  11. Timme, Falko (2007-10-08). "Preventing Brute Force Attacks With Fail2Ban On OpenSUSE 10.3" . Retrieved 2007-11-14.
  12. "Integrating AbuseIPDB with Fail2Ban". AbuseIPDB. Retrieved 31 August 2021.
  13. "www.blocklist.de -- Fail2Ban-Reporting Service (we sent Reports from Attacks on Postfix, SSH, Apache-Attacks, Spambots, irc-Bots, Reg-Bots, DDos and more) from Fail2Ban via X-ARF". Blocklist.de. Retrieved 31 August 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.