Tweaking fail2ban

logo fail2ban.org
http://www.fail2ban.org

 

 

 

 

 

 

 

 

After downloading and installing fail2ban stable from the fail2ban website it is time to tweak it’s behavior. First of all I checked some settings that weren’t set by default like the recidive filter. IP’s that are banned again will be banned for a longer period of time. So enable the recidive filter in the /etc/fail2ban/jail.local  and change the find and ban time to your liking. There is one condition that the bantime and  the findtime of the recidive filter is bigger than your ‘normal’ settings. My filters have a bantime and a findtime of a day. The bantime and findtime of my recidive filter are set to a week and two days. So if you  banned again in the last two days you will be banned for a week. For that to work you have to change the dbpurge setting in /etc/fail2ban/fail2ban.conf to keep the data around long enough to meet the demands of your recidive findtime setting. I set mine to 2.5 days just to be sure. Remember set your own ip addresses to ignore and to restart fail2ban after changing your settings to let them take effect.

Next stop was the sshd filter. I use a key based authentication on my ssh server as most do. Therefore the default regex in the sshd filter doesn’t catch every attempt to logon so I added a few of my own. A very handy tool is fail2ban-regex. First I use it to catch the lines that were missed with the print-all-missed option. You will see all the lines missed by the filter and with some extra grepping show only the lines containing an IP address.

sudo fail2ban-regex --print-all-missed /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf|grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}"

Now you can see the lines for which you can make an extra rule in your filter if you want to catch them. Here are the ones I added myself.

 ^%(__prefix_line)sReceived disconnect from <HOST>: 11: \[preauth\]\s*$
 ^%(__prefix_line)sDisconnecting: Too many authentication failures for invalid user \w+ from <HOST> port \d+ ssh2 \[preauth\]\s*$
 ^%(__prefix_line)sDisconnecting: Too many authentication failures for root from <HOST> port \d+ ssh2 \[preauth\]\s*$
 ^%(__prefix_line)sConnection closed by <HOST> \[preauth\]\s*$
 ^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye \[preauth\]\s*$
 ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
 ^%(__prefix_line)sReceived disconnect from <HOST>: 11: disconnected by user\s*$
 ^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
 ^%(__prefix_line)sReceived disconnect from <HOST>: 11: disconnected by user \[preauth\]\s*$

From time to time I check if foes use some “new” tricks to catch.