Example for fail2ban

Paolo Predonzani edited this page Dec 27, 2017 · 1 revision

Fail2ban is an intrusion prevention system that monitors a number of server logs, looks for suspicious activity, and bans the originating IPs preventing further malicious attempts. It is an excellent tool to mitigate brute-force or DoS attacks.

Fail2ban's configuration has many sensible defaults and usually few customisations are required. Still the number of parameters is high and if you want to be sure that fail2ban is configured exactly to your requirements, you can either triple check the configuration manually (which is error prone) or have Tstconfig check it for you automatically.

A look at fail2ban's configuration file

Fail2ban's main configuration file is located at /etc/fail2ban/jail.conf. Typically you leave it as it is and edit a copy at /etc/fail2ban/jail.local.

The file is made of a DEFAULT section, followed by a number of jail sections. The DEFAULT section provides the common defaults. Each jail section provides the details specific to a protocol, server or type of attack, possibly overriding some of the defaults.

The default section may look like this:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 600
findtime = 600
maxretry = 3
destemail = root@localhost
sendername = Fail2Ban

A jail section may look like this (for ssh):

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Testing jail.local with Tstconfig

Create a file called fail2ban.tstconfig with the following content:

# The configuration file to test
file /etc/fail2ban/jail.local

# Fail2ban config files conform to the ini syntax
syntax ini

You certainly want to customise destemail and maybe increase the bantime:

# Let's focus on the DEFAULT section
section DEFAULT

# Make sure notifications are sent to the right address
property destemail
assert_eq your.email@your.domain

# Make sure malicious IPs are banned for 30 minutes
property bantime
assert_eq 1800

In specific jail sections, as a minimum, you want to ensure that the jail is active:

# Make sure ssh logs are watched and bad guys banned
section ssh
property enabled
assert_eq true

Running the tests

From a shell, run the following command:

$ tstconfig fail2ban.tstconfig
Tstconfig 0.2

Reading definition file: fail2ban.tstconfig
ASSERTION FAILED
 File:      /etc/fail2ban/jail.local
 Section:   DEFAULT
 Property:  destemail
 Value:     root@localhost
 Assertion: assert_eq your.email@your.domain

ASSERTION FAILED
 File:      /etc/fail2ban/jail.local
 Section:   DEFAULT
 Property:  bantime
 Value:     600
 Assertion: assert_eq 1800


SUMMARY REPORT: FAIL
Assertions tested: 3
Assertions passed: 1
Assertions failed: 2
Errors: 0

Well, the test failed but the report gives you the exact file, section and property that you need to change to make the test pass.

Other configuration files

Fail2ban has a number of other configuration files, for additional filters (in /etc/fail2ban/filters.d), actions (in /etc/fail2ban/actions.d) and jails (in /etc/fail2ban/jails.d). These files have the same "ini" syntax with sections and properties, so they can be tested in a similar way to we've done for jail.local.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.