Fail2Ban

Posted on by

Fail2Ban helps secure a webserver by scanning log files like /var/log/auth.log or /var/log/nginx/error.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. The default is 10minutes. This limits brute force attacks such as dictionary attacks that exploit weak passwords to gain access to the server.

Starting in v9.1.0 the fail2ban package can now be optionally installed during the gateway setup process. Below is a general guide to installing this package manually or for previous versions. See this this link for an in-depth guide to installing fail2ban.

Prerequisites:

Install fail2ban

sudo apt-get update
sudo apt-get install fail2ban
By default fail2ban is configured to only ban failed SSH login attempts. In addition to this we want to secure the Gateway application which is running as a default website under nginx.

We need to create a new “jail” rule file:

sudo nano /etc/fail2ban/jail.local

Paste the following code in this file and save.

[nginx-http-auth]

enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/gateway.error.log #or default.error.log (v9.0 & prior)
ignoreip = 127.0.0.1/8
maxretry = 2
#bantime = 3600    #10 minutes is the default if not specified
#findtime = 3600   # These lines combine to ban clients that fail
#maxretry = 6      # to authenticate 6 times within a half hour.

Fail2ban should already include the required /etc/fail2ban/filter.d/nginx-http-auth.conf file which contains the rules for matching log file login failures.

Activate fail2ban:

sudo service fail2ban restart

Status

To get the status of all enabled “jail” rules (failed attempts & banned IP table) use this command:

sudo fail2ban-client status

Or for a single specific “jail” rule (ex. nginx-http-auth):

sudo fail2ban-client status nginx-http-auth

Unbanning

You may do your own testing and ban yourself out. To unban a specific IP address call this:

sudo fail2ban-client set nginx-http-auth unbanip 111.111.111.111

Quick logs search for auth errors

Here are some some quick commands to search a specific log for specific keywords:

grep 'mismatch\|htpasswd' /var/log/nginx/default.error.log
Gateway app usageExporting data (CSV)