Setup fail2ban to mitigate Brute Force Login Attempt
Fail2ban is a tool which can be used to scan log file (e.g. /var/log/apache/error_log
) and bans misbehaved IPs. For example, use it to ban IPs which use bots to perform brute force login attempts.
Recently we have setup a mail server and noticed there are some bots attempts to do random login in the exim log
$ less /var/log/exim4/mainlog
2021-01-28 15:23:19 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=metrix@xxx.com)
2021-01-28 15:23:31 no host name found for IP address 212.70.149.54
2021-01-28 15:23:40 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=messagerie@xxx.com)
2021-01-28 15:23:52 no host name found for IP address 212.70.149.54
2021-01-28 15:24:01 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mercedes@xxx.com)
2021-01-28 15:24:14 no host name found for IP address 212.70.149.54
2021-01-28 15:24:22 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mediaspace@xxx.com)
2021-01-28 15:24:35 no host name found for IP address 212.70.149.54
2021-01-28 15:24:43 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mediacdn@xxx.com)
2021-01-28 15:24:56 no host name found for IP address 212.70.149.54
2021-01-28 15:25:04 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=medgen@xxx.com)
2021-01-28 15:25:17 no host name found for IP address 212.70.149.54
2021-01-28 15:25:25 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=m.ebay@xxx.com)
2021-01-28 15:25:38 no host name found for IP address 212.70.149.54
2021-01-28 15:25:46 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mea@xxx.com)
We can see that the bots is trying to login using various email login id.
Now let's create a fail2ban filter call "iw.conf" to extract the bad IPs then block them.
vim /etc/fail2ban/filter.d/iw.conf
And paste below to that file
Example:
[Definition]
failregex = \[<HOST>\]: 535 Incorrect authentication data
ignoreregex =
Add following to /etc/fail2ban/jail.local
[iw-filter]
enabled = true
filter = iw
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/<your-exim4-log>
banTime = 864000
findtime = 1800
maxRetry = 3
We can use fail2ban-regex
test the filter to see if it work
fail2ban-regex /var/log/<your-exim4-log> /etc/fail2ban/filter.d/iw.conf
Example output
Running tests
=============
Use failregex filter file : iw, basedir: /etc/fail2ban
Use log file : /var/log/exim4/mainlog
Use encoding : UTF-8
Results
=======
Failregex: 910 total
|- #) [# of hits] regular expression
| 1) [910] \[<HOST>\]: 535 Incorrect authentication data
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3010] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 3010 lines, 0 ignored, 910 matched, 2100 missed
Since our filter only checking for one regex, from the output, we can see that the filter is working as there're 910 matched
lines. Let restart the fail2ban and let it run for a while.
Then we can check the fail2ban log to see if it manage to ban any bad IPs.
$ less /var/log/fail2ban.log
2021-01-28 15:47:22,639 fail2ban.actions [25145]: NOTICE [exim-iptables] Unban 212.70.149.54
2021-01-28 15:47:32,417 fail2ban.filter [25145]: INFO [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:47:32
2021-01-28 15:47:32,417 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:47:32
2021-01-28 15:47:32,501 fail2ban.actions [25145]: WARNING [iw-mail-devcot-login-filter] 212.70.149.54 already banned
2021-01-28 15:47:38,324 fail2ban.filter [25145]: INFO [exim-iptables] Found 104.129.24.114 - 2021-01-28 15:47:38
2021-01-28 15:47:38,325 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 104.129.24.114 - 2021-01-28 15:47:38
2021-01-28 15:47:53,454 fail2ban.filter [25145]: INFO [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:47:53
2021-01-28 15:47:53,455 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:47:53
2021-01-28 15:48:14,514 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:14
2021-01-28 15:48:14,515 fail2ban.filter [25145]: INFO [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:14
2021-01-28 15:48:35,607 fail2ban.filter [25145]: INFO [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:35
2021-01-28 15:48:35,609 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:35
2021-01-28 15:48:35,963 fail2ban.actions [25145]: WARNING [iw-mail-devcot-login-filter] 212.70.149.54 already banned
2021-01-28 15:48:57,098 fail2ban.filter [25145]: INFO [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:57
2021-01-28 15:48:57,099 fail2ban.filter [25145]: INFO [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:57
2021-01-28 15:48:57,361 fail2ban.actions [25145]: NOTICE [exim-iptables] Ban 212.70.149.54
Take note if you see "Unban xxx.xxx.xxx.xxx
" in the log, it means that those IPs is now released by fail2ban and that might not what you want. If that's the case, then you need to set the banTime
explicit in the filter. Example
Edit the file and set the ban time to be 24 hours (86400 seconds)
vim /etc/fail2ban/jail.local
[exim-iptables]
enabled = true
filter = exim
...
logpath = /var/log/your-exim-log
banTime = 864000
findtime = 1800
maxRetry = 5
To display a list of IP addresses currently banned by fail2ban, type the following command:
iptables -S
From example output below we can see that IP 212.70.149.54
has been blocked by the firewall.
-A f2b-NoAuthFailures -s 212.70.149.54/32 -j REJECT --reject-with icmp-port-unreachabl
Whenever you make any changes, you should reload the new configuration by restarting fail2ban
service fail2ban restart
Above is a simple note for your reference, and we encourage you to dive deeper to learn more about this powerful tool. Do share with us your experience using fail2ban by leaving a comment below.
That's all for today. Take care and stay healthy in this trying period!
Posted on Jan 27, 2021
Leave a comment or suggestion below