Fail2Ban: Ban hosts that cause multiple authentication errors


Fail2Ban is an open-source tool that monitors log files, such as /var/log/auth.log, and blocks IP addresses that exhibit repeated failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses for a configurable amount of time.

Fail2Ban features

“Fail2Ban is a versatile and effective tool. It can block common attacks using community-driven filters with minimal configuration. Additionally, it can serve as a complex IDS/IPS system to meet specific administrative needs, such as detecting and blocking application or system-specific attack vectors,” Sergey Brester, the developer of Fail2Ban, told Help Net Security.

The main features are:

  • Monitoring logfile and systemd journal (and with custom backends, written in Python, it would be able to detect failures from other sources)
  • Fully configurable regexps allow to capture info from log or journal and supply it to the action, so it is possible to ban not only IPs, but also users, sessions, or a combination of them
  • Incremental banning
  • IPv6 support
  • Dynamic configuration allows simple creation of distribution-related config files for the maintainers and users. For instance, usage of parameters like mode for the fine adjustment (e. g. detect only authentication failures or ban more aggressively by any attempt)

Future plans and download

Brester told us that future development priorities include:

  • Full support for subnets (automatically banning a subnet with configurable burst and threshold if several attempts occur from IPs of the same subnet)
  • Geo- and whois-based factorization of the failures (e.g., IPs of some countries may be banned faster and longer, combined to larger subnets, etc.)
  • Fail2Ban network (synchronization of events like attempts and bans across the hosts to protect whole networks)
  • Speed-up of banning with introducing of bulk-ban mechanisms
  • Better support of containers (Docker, Kubernetes, etc.)

Fail2Ban is available for free on GitHub.

Fail2Ban: Ban hosts that cause multiple authentication errors

Must read:




Source link