fail2ban. Automatic Banning of Brute-Force IPs

fail2ban is the single easiest way to shut down SSH brute-force attacks during NCAE. Install enable done. This lesson covers the three config files you care about, the one crucial whitelist entry (scoring engine), and how to unban when you accidentally lock someone out.

Objectives

• Install fail2ban on Debian/Ubuntu
• Understand the three-level config: fail2ban.conf jail.conf jail.local
• Enable the sshd jail
• Whitelist an IP range with `ignoreip`
• Check jail status with `fail2ban-client`
• Unban an IP manually

Quick reference

Common pitfalls

• Editing `/etc/fail2ban/jail.conf` directly. gets overwritten on package upgrade. Always use `jail.local`
• Forgetting to whitelist the scoring engine. gets banned after 5 rapid checks, service goes red
• Setting `bantime = -1` (permanent) during practice. locks yourself out forever
• Default `backend = auto` sometimes fails to detect systemd journal. explicit `backend = systemd` is safer
• Config change without reload. `fail2ban-client reload`

How it works (walkthrough)

# /etc/fail2ban/jail.local  (NEVER edit jail.conf. always the .local override)
[DEFAULT]
bantime  = 10m
findtime = 10m
maxretry = 5
# Whitelist scoring engine + localhost so they're never banned:
ignoreip = 127.0.0.1/8 ::1 <SCORING_ENGINE_IP>/32

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = systemd

[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

Skill drills

1. 1. File you edit to configure fail2ban (not jail.conf)?
   Reveal

   /etc/fail2ban/jail.local
2. 2. Config key that whitelists IPs from banning?
   Reveal

   ignoreip
3. 3. Command to see which IPs are banned in the sshd jail?
   Reveal

   fail2ban-client status sshd
4. 4. Command to remove a ban manually?
   Reveal

   fail2ban-client unban <IP>
5. 5. What's the default bantime (on most distros)?
   Reveal

   10 minutes (600 seconds)

NCAE scoreboard patterns this lesson prevents

• 2,502.8 SSH Login. Failed to connect to host: IP
• 44.4 SSH Login. The following users failed to authenticate with their public key: nills, vetomo
• 44.4 SSH Login. The following users failed to authenticate with their public key: vetomo, nills
• 36.1 SSH Login. The following users failed to authenticate with their public key: simone_weil, todd_k
• 36.1 SSH Login. The following users failed to authenticate with their public key: vetomo, todd_k
• 30.6 SSH Login. The following users failed to authenticate with their public key: claude_chevalley
• 27.8 SSH Login. The following users failed to authenticate with their public key: claude_chevalley, simone_weil
• 27.8 SSH Login. The following users failed to authenticate with their public key: nills, simone_weil
• 27.8 SSH Login. The following users failed to authenticate with their public key: nills, todd_k
• 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, claude_chevalley
• 25 SSH Login. The following users failed to authenticate with their public key: nills
• 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, nills
• 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo, claude_chevalley
• 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo
• 19.4 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, nills