In association with heise online

Fail2ban

Fail2ban, which is also written in Python, uses iptables, a Linux firewall tool, to block undesirable IP addresses. To do so it adds a new rule to the INPUT chain and creates a new chain with a DROP rule for each blocked host. The tool also has native support for wrappers and ipfw. As well as being able to protect SSH from large failed login volumes, it can also protect FTP and mail servers. Under Ubuntu, it can be installed using sudo apt-get install fail2ban. By default, only the rules for SSH are activated. The configuration file jail.conf in the /etc/fail2ban folder contains predefined rules for other services – they merely need to be activated as required.

fail2ban has problems determining the right number of login attempts from the log entry "messages repeated x times".
Zoom fail2ban has problems determining the right number of login attempts from the log entry "messages repeated x times".

Like DenyHosts, fail2ban searches for signs of failed login attempts in /var/log/auth.log using regular expressions. Unfortunately, on Ubuntu systems the syslog daemon throws a spanner in the works by, in most cases, writing failed login attempts to the login file in full only once, and after that simply writing "last message repeated x times". fail2ban does not know what to do with this message and consequently only counts the first attempt. This means that attackers can try their luck much more frequently than the default of six failed logins set in the configuration file would suggest.

This Ubuntu problem is well known. Deactivating syslog compression, which is responsible for collating repeated log entries into a single line, is one remedy for this problem. The standard syslog service does not, however, offer this option. DenyHosts does not suffer from this problem as it uses more sophisticated regular expressions.

At a pinch, users can reduce the maximum number of failed logins to, say, 2 in the SSH daemon's configuration options and likewise reduce the maximum number of repeats in the fail2ban settings to 2. Following two unsuccessful logins, the SSH service then drops the connection, with the result that the next attempt to connect does instance a new line in the log file, which fail2ban then recognises as a second login attempt. This means that the attacker has just four goes before being blocked by the firewall.

Compared to DenyHosts, fail2ban nonetheless has the advantage of being able to automatically unblock blocked hosts. Setting the option bantime = 600 deletes the iptables blocking rule automatically after 10 minutes.

Next: Recent

Print Version | Permalink: http://h-online.com/-746235
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit