Search

Tuesday, September 20, 2016

FAIL2BAN FOR CENTOS 7 WITH IPSET FILTERING FOR INTRUSION IP ADDRESS BLOCKING AND FEEDBACK TO BLOCKLIST.DE

This is a quick recap of how I set up fail2ban with real-time reporting to blocklist.de from my public internet-facing Virtual Private Server (sanyalnet-cloud-vps.freeddns.org) running CentOS 7.

Fail2ban continues to provide a robust first line of defense against the numerous dictionary and ddos or brute force attacks faced by any internet-facing cloud server. blocklist.de has been providing a very valuable blacklist for a long time for free, and I wanted to take this opportunity to contribute back to blocklist.de as well.

Right after installing an operating system and bringing it up, any new cloud server open to the internet should be hardened first. For my CentOS 7 installation, I found and followed a great set of basic hardening instructions at the highon.coffee blog and also made more tweaks that I documented here.

Then set up your internet email service. I installed and configured my email service to use postfix for SMTP and dovecot for POP and IMAP. I used the awesome instructions here to do so.

Fail2ban defaults to sending emails from the address of "fail2ban@<hostname>" and there is no need to change this behavior. A quick way to validate your email MTA is to install the mailx utility and confirm that outgoing emails are being sent successfully - you can send a email from the server to your gmail account, for example.

I then registered an account at blocklist.de and added my server. While adding the server, provide your current IP (dynamic IPs are okay as blocklist provides a separate email address for reporting intrusions on a server with dynamic IP). Also leave the API Key field empty - it will be filled in for you later.

blocklist.de add server form

I configured fail2ban to use ipset (instead of, and better than, iptables) to keep track of addresses to block. Check if you have ipset installed, and if not, install the ipset packages using yum install ipset. You should have the packages similar to the following installed to proceed.

# rpm -qa | grep ipset
ipset-6.19-4.el7.x86_64
ipset-libs-6.19-4.el7.x86_64

As the attackers started coming in fast and furious, fail2ban was the logical next step. Installing fail2ban is a breeze, thanks to its easy availability from the epel repository. The three steps below are all that are needed to install and bring up the initial configuration of fail2ban and get it ready for modifications needed to use ipset and send intrusion activity reports to blocklist.de.

# yum -y install epel-release
# yum -y install fail2ban
# systemctl enable fail2ban

Once the default fail2ban configuration is up and running with ipset, I created a /etc/fail2ban/jail.local file that overrides a few configuration items with what I need.
  • Default ban action is iptables-ipset-proto4
  • Since I use the free and very nice Uptime Robot service to monitor my servers, I whitelisted the Uptime Robot IPs that reach out to my server often enough to be flagged as intrusions with failed logon attempts by fail2ban. The list of IP addresses that Uptime Robot's robots use are conveniently listed on the Locations and IPs page on Uptime Robot web-site.
  • Tweaked findtime, bantime and maxretry a bit. I use a ban time of 48 hours only because blocklist.de automatically un-bans IP addresses 48 hours after adding them to their banned IP block list.
  • Adjusted destemail and sender email addresses to match with my account at blocklist.de
  • Adjusted the action to be email with log entries, i.e. %(action_mwl)s
  • Enabled the fail2ban intrusion reporting filters corresponding to the services provided by my server - ssh, postfix, sendmail and dovecot.
Here is my complete /etcfail2ban/jail.local file:


The results can be seen readily if the server name is googled. Also look at your /var/log/maillog and /var/log/fail2ban.log to verify everything is working as expected.


You can download a complete tarball of my /etc/fail2ban directory including default and custom configuration files that report intrusions to blocklist.de from my google drive.







No comments:

Post a Comment

Recommended Products from Amazon