Welcome to ciysys blog

Install fail2ban

Published on: 22nd Apr 2014

Updated on: 30th Jan 2022

What is fail2ban

fail2ban is a service program (i.e., daemon) that is looking for the unauthorized user who is trying to access the server or some misbehave activities by reviewing the system log, user access log (/var/log/auth.log) or even Nginx web access log (/var/log/nginx/access.log).

Why fail2ban

Since our server is facing the Internet, this means anyone with the correct SSH ID and password will be able to access the server from anywhere. In this case, it will attract someone to try hacking the server by guessing the ID and password. With this consideration, we need to add another layer of protection after the firewall.

Another use case is that if a web crawler is trying to scan the website backdoor and we should block those web crawlers.

Here's how you install and configure it

Customizing fail2ban filter/policies

fail2ban allows you to add a new filter. I found the an article (https://david.ramsden.cloud/2016/03/21/banning-repeat-offenders-with-fail2ban/ that shows the details on how to create new filter. You may want to do this to automate the battle with the hacking bots.

Customized filter in fail2ban #2

After I have enabled the SSH key, some guys are still trying their luck to access the server through SSH. I found many of the following lines in the /etc/log/auth.log file,

Nov 29 20:29:48 myserver sshd[62008]: Received disconnect from port 38968:11: Normal Shutdown, Thank you for playing [preauth]
Dec  1 03:22:20 myserver sshd[69945]: Unable to negotiate with port 48784: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Dec  6 16:29:18 myserver sshd[117410]: Invalid user admin from port 33901
Dec  6 16:29:10 myserver sshd[117402]: Connection closed by authenticating user root port 44229 [preauth]
Dec  7 09:39:14 myserver sshd[121992]: Connection closed by port 52660 [preauth]

So, I decided to automate the banning on these IP addresses.

Customized filter in fail2ban #3

We are hosting our website (https://ciysys.com) on a cloud server and we don't want the "crazy" web crawler that consumes too much of the bandwidth. After some research on the Internet, we found out that we can block the web crawler by using fail2ban.

For example, we don't want to let 'petalbot' crawl our website at all. In this case, we reviewed the web access log file (/var/log/nginx/access.log) and found the following

... - - [13/Dec/2020:03:33:07 +0000] "GET /robots.txt HTTP/1.1" 301 178 "-" "(compatible;PetalBot;+https://aspiegel.com/petalbot)"

So, I decided to create a new fail2ban filter to handle this automatically,

fail2ban operating commands


Related posts

Jump to #UBUNTU blog


Lau Hon Wan, software developer.