Fail2ban

Last updated
Fail2Ban
Original author(s) Cyril Jaquier
Initial releaseOctober 7, 2004;20 years ago (2004-10-07)
Stable release
1.1.0 [1] / 25 April 2024;7 months ago (25 April 2024)
Repository
Written in Python
Platform POSIX
Type Intrusion prevention
License GNU GPL v2
Website www.fail2ban.org   OOjs UI icon edit-ltr-progressive.svg

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. [2] It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper. [3]

Contents

Functionality

A screenshot of Fail2Ban, demonstrating its ability to ban IP addresses Fail2ban screenshot.jpg
A screenshot of Fail2Ban, demonstrating its ability to ban IP addresses

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. [4] Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. It includes support for both IPv4 and IPv6. [5] [6] Optionally longer bans can be custom-configured for "recidivist" abusers that keep coming back. [2] Fail2Ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

Fail2Ban can perform multiple actions whenever an abusive IP address is detected: [7] update Netfilter/iptables or PF firewall rules, TCP Wrapper's hosts.deny table, to reject an abuser's IP address; email notifications; or any user-defined action that can be carried out by a Python script.

The standard configuration ships with popular filters, including Apache, Lighttpd, sshd, vsftpd, qmail, Postfix and Courier Mail Server. [8] [9] Filters are defined by Python regexes, which may be conveniently customized by an administrator familiar with regular expressions. [2] A combination of a filter and an action is known as a "jail" and is what causes a malicious host to be blocked from accessing specified network services. [2] As well as the examples that are distributed with the software, a "jail" may be created for any network-facing process that creates a log file of access. [10]

Fail2ban is similar to DenyHosts [...] but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny.

Falko Timme [11]

Integrations

Fail2Ban can be integrated with many APIs, including blocklist.de and AbuseIPDB. [12] [13]

Shortcomings

See also

Related Research Articles

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

<span class="mw-page-title-main">Network address translation</span> Technique for making connections between IP address spaces

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

A whitelist or allowlist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied, unrecognized, or ostracized.

IP address blocking or IP banning is a configuration of a network service that blocks requests from hosts with certain IP addresses. IP address blocking is commonly used to protect against brute force attacks and to prevent access by a disruptive address. It can also be used to restrict access to or from a particular geographic area; for example, syndicating content to a specific region through the use of Internet geolocation.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

TCP Wrappers is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in a set of tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

<span class="mw-page-title-main">PeerGuardian</span> Free and open source program developed by Phoenix Labs

PeerGuardian is a free and open source program developed by Phoenix Labs (software). It is capable of blocking incoming and outgoing connections based on IP blacklists. The aim of its use was to block peers on the same torrent download from any visibility of your own peer connection using IP lists. The system is also capable of blocking custom ranges, depending upon user preferences.

Netlink is a socket family used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets available on certain Unix-like operating systems, including its original incarnation as a Linux kernel interface, as well as in the form of a later implementation on FreeBSD. Similarly to the Unix domain sockets, and unlike INET sockets, Netlink communication cannot traverse host boundaries. However, while the Unix domain sockets use the file system namespace, Netlink sockets are usually addressed by process identifiers (PIDs).

DenyHosts is a log-based intrusion-prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python Regular Expression Debugger.

<span class="mw-page-title-main">NuFW</span>

NuFW is a software package that extends Netfilter, the Linux kernel-internal packet filtering firewall module. NuFW adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance. NuFW has been restarted by the FFI and renamed into UFWI.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Stockade is a TCP-layer blocking tool written in C++. It denies TCP/IP access to registered IP addresses by using the ipfw packet filter. It targets spam prevention, but may also be used against other attackers

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

References

  1. "Release 1.1.0". 25 April 2024. Retrieved 23 May 2024.
  2. 1 2 3 4 Bledsoe, Greg (2016-01-14). "Server Hardening | Linux Journal". Linux Journal . Retrieved 2018-09-22.
  3. Jordan, Jeff (2015-06-16). "How to protect your GNU/Linux computer from remote attacks with Fail2ban". Free Software Magazine . Retrieved 2018-09-22.
  4. Van Impe, Koen (2015-12-09). "Defending Against Apache Web Server DDoS Attacks". IBM's Security Intelligence. Retrieved 2018-09-22.
  5. G. Brester, Sergey (2017-08-09). "0.10.0 (2017/08/09) - long-awaited 0.10th version". GitHub . Retrieved 2018-09-22.
  6. Aleksandersen, Daniel (2016-05-31). "IPv6 support finally arrive in Fail2Ban 0.10". Ctrl blog. Retrieved 2018-09-22.
  7. ducea.com (2006-07-03). "Using Fail2Ban to Block Brute Force Attacks".
  8. "fail2ban/config/filter.d". GitHub .
  9. Wallen, Jack (2016-12-23). "How to protect secure shell on CentOS 7 with Fail2ban". TechRepublic . Retrieved 2018-09-22.
  10. Casey, Brad (2016-02-17). "Three server security tools you might not know". TechTarget . Archived from the original on 2016-02-17. Retrieved 2018-09-22.
  11. Timme, Falko (2007-10-08). "Preventing Brute Force Attacks With Fail2Ban On OpenSUSE 10.3" . Retrieved 2007-11-14.
  12. "Integrating AbuseIPDB with Fail2Ban". AbuseIPDB. Retrieved 31 August 2021.
  13. "www.blocklist.de -- Fail2Ban-Reporting Service (we sent Reports from Attacks on Postfix, SSH, Apache-Attacks, Spambots, irc-Bots, Reg-Bots, DDos and more) from Fail2Ban via X-ARF". Blocklist.de. Retrieved 31 August 2021.