Stifling Brute Force Attacks with fail2ban


fail2ban is a package that monitors your log files for failed login attempts and executes a configured action, usually temporarily blocking the attacking IP with iptables for a set duration. Any exposed service that uses a username/password authentication scheme is vulnerable to dictionary and brute force attack, your first defense if you must expose such a service is to make such attacks as costly as possible and that's where fail2ban comes in. By temporarily blocking an address for even 10 minutes after every 3 failed login attempts you make the process several orders of magnitude slower. Since fail2ban reads plain log files and can be configured for any action one clever deployment could see a log server collecting logs from all the hosts on a network and sharing the relevant logs with the firewall via NFS where fail2ban can quickly cut access to the entire network from the attacker with ease. For the purposes of this article we will only focus on locking down SSH on a local host.

fail2ban is probably available in your distribution's package management system. Gentoo users type:

# emerge fail2ban

If the package is not available for your flavour you can compile it from source, available at http://sourceforge.net/project/showfiles.php?group_id=121032&package_id=132537:

# tar xjf fail2ban-*
# cd fail2ban-*/
# ./setup.py install
# cp /usr/local/src/fail2ban-*/files/{your distro or close match here}-init /etc/init.d/fail2ban

Then add the script to the appropriate runlevels. Gentoo users type:

# rc-update add fail2ban default

Despite the name, fail2ban jails are not like chroot or ssh jails. A 'jail' is the combination of a filter and an action. The filters are regular expressions used to search the log files for interesting lines such as login failures. These filters are located in /etc/fail2ban/filter.d/ and the action scripts are located in /etc/fail2ban/filter.d/. By adding to and tying these filters and actions together in /etc/fail2ban/jail.conf you can re-purpose fail2ban to do just about any log event-triggered action imaginable; once you've given it a good mucking about locking down SSH may seem trite.

Open /etc/fail2ban/jail.conf and find [ssh-iptables], change the configuration block to look like this:

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd/current
maxretry = 5
# findtime = 600
# bantime = 600

You may need to edit logpath to reflect your system's settings. Set maxretry to however many failed login attempts you wish to allow over a given amount of time (findtime) until the source address is blocked for a given amount of time (bantime). The default findtime and bantime  is 600 seconds (10 minutes) and only needs to be set if you would like to choose different durations. If you would like to be notified by e-mail when someone has been blocked (probably not a good idea on a busy public server) add this line to the jail:

mail-whois[name=SSH, [email protected]]

Now make sure your SSH daemon is logging in verbose mode, add this line if you must to /etc/ssh/sshd_config:


If your sshd log entries contain the string pam_unix(sshd:auth) (Gentoo users here) you may need to modify the line starting with __daemon_re in /etc/fail2ban/filter.d/common.conf to look like:

__daemon_re = [\[\(]?%(_daemon)s(?:\([^\)]+\))?[\]\)]?:?

and configuration is over. Now start the server:

/etc/init.d/fail2ban start

If you run iptables --list you should see a fail2ban target. Try breaking into SSH from another host, after a few tries you should be blocked from port 22 on the remote host. Running iptables-save will show you a rule under the fail2ban target for the IP that was just blocked. Once the bantime limit has been reached you will regain access.



Hey, did you get anywhere with using fail2ban with poptop?

Saw a forum post from you :)

Trying to set this up myself, but it is looking like it might be tricky without patching pptpd itself to include an ip in the chap failure line...



Not required for SSH if you are using the IPS due to a custom snort rule against SSH brute forcing however it can be adapted to pretty much anything and I will hopefully post a pptpd config eventually.

• Jase

Hey Kfox just wonder about fine tunning this on clearos