Setup fail2ban to mitigate Brute Force Login Attempt

Fail2ban is a tool which can be used to scan log file (e.g. /var/log/apache/error_log) and bans misbehaved IPs. For example, use it to ban IPs which use bots to perform brute force login attempts.

Recently we have setup a mail server and noticed there are some bots attempts to do random login in the exim log

$ less /var/log/exim4/mainlog
2021-01-28 15:23:19 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=metrix@xxx.com)
2021-01-28 15:23:31 no host name found for IP address 212.70.149.54
2021-01-28 15:23:40 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=messagerie@xxx.com)
2021-01-28 15:23:52 no host name found for IP address 212.70.149.54
2021-01-28 15:24:01 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mercedes@xxx.com)
2021-01-28 15:24:14 no host name found for IP address 212.70.149.54
2021-01-28 15:24:22 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mediaspace@xxx.com)
2021-01-28 15:24:35 no host name found for IP address 212.70.149.54
2021-01-28 15:24:43 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mediacdn@xxx.com)
2021-01-28 15:24:56 no host name found for IP address 212.70.149.54
2021-01-28 15:25:04 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=medgen@xxx.com)
2021-01-28 15:25:17 no host name found for IP address 212.70.149.54
2021-01-28 15:25:25 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=m.ebay@xxx.com)
2021-01-28 15:25:38 no host name found for IP address 212.70.149.54
2021-01-28 15:25:46 dovecot_login authenticator failed for (User) [212.70.149.54]: 535 Incorrect authentication data (set_id=mea@xxx.com)

We can see that the bots is trying to login using various email login id.

Now let's create a fail2ban filter call "iw.conf" to extract the bad IPs then block them.

vim /etc/fail2ban/filter.d/iw.conf

And paste below to that file

Example:

[Definition]
failregex = \[<HOST>\]: 535 Incorrect authentication data
ignoreregex =

Add following to /etc/fail2ban/jail.local

[iw-filter]
enabled  = true
filter   = iw
action   = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath  = /var/log/<your-exim4-log>
banTime  = 864000
findtime = 1800
maxRetry = 3

We can use fail2ban-regex test the filter to see if it work

fail2ban-regex /var/log/<your-exim4-log> /etc/fail2ban/filter.d/iw.conf

Example output

Running tests
=============

Use   failregex filter file : iw, basedir: /etc/fail2ban
Use         log file : /var/log/exim4/mainlog
Use         encoding : UTF-8


Results
=======

Failregex: 910 total
|-  #) [# of hits] regular expression
|   1) [910] \[<HOST>\]: 535 Incorrect authentication data
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3010] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 3010 lines, 0 ignored, 910 matched, 2100 missed

Since our filter only checking for one regex, from the output, we can see that the filter is working as there're 910 matched lines. Let restart the fail2ban and let it run for a while.

Then we can check the fail2ban log to see if it manage to ban any bad IPs.

$ less /var/log/fail2ban.log
2021-01-28 15:47:22,639 fail2ban.actions        [25145]: NOTICE  [exim-iptables] Unban 212.70.149.54
2021-01-28 15:47:32,417 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:47:32
2021-01-28 15:47:32,417 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:47:32
2021-01-28 15:47:32,501 fail2ban.actions        [25145]: WARNING [iw-mail-devcot-login-filter] 212.70.149.54 already banned
2021-01-28 15:47:38,324 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 104.129.24.114 - 2021-01-28 15:47:38
2021-01-28 15:47:38,325 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 104.129.24.114 - 2021-01-28 15:47:38
2021-01-28 15:47:53,454 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:47:53
2021-01-28 15:47:53,455 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:47:53
2021-01-28 15:48:14,514 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:14
2021-01-28 15:48:14,515 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:14
2021-01-28 15:48:35,607 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:35
2021-01-28 15:48:35,609 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:35
2021-01-28 15:48:35,963 fail2ban.actions        [25145]: WARNING [iw-mail-devcot-login-filter] 212.70.149.54 already banned
2021-01-28 15:48:57,098 fail2ban.filter         [25145]: INFO    [iw-mail-devcot-login-filter] Found 212.70.149.54 - 2021-01-28 15:48:57
2021-01-28 15:48:57,099 fail2ban.filter         [25145]: INFO    [exim-iptables] Found 212.70.149.54 - 2021-01-28 15:48:57
2021-01-28 15:48:57,361 fail2ban.actions        [25145]: NOTICE  [exim-iptables] Ban 212.70.149.54

Take note if you see "Unban xxx.xxx.xxx.xxx" in the log, it means that those IPs is now released by fail2ban and that might not what you want. If that's the case, then you need to set the banTime explicit in the filter. Example

Edit the file and set the ban time to be 24 hours (86400 seconds)

vim /etc/fail2ban/jail.local
[exim-iptables]
enabled = true
filter  = exim
...
logpath = /var/log/your-exim-log
banTime  = 864000
findtime = 1800
maxRetry = 5

To display a list of IP addresses currently banned by fail2ban, type the following command:

iptables -S

From example output below we can see that IP 212.70.149.54 has been blocked by the firewall.

-A f2b-NoAuthFailures -s 212.70.149.54/32 -j REJECT --reject-with icmp-port-unreachabl

Whenever you make any changes, you should reload the new configuration by restarting fail2ban

service fail2ban restart

Above is a simple note for your reference, and we encourage you to dive deeper to learn more about this powerful tool. Do share with us your experience using fail2ban by leaving a comment below.

That's all for today. Take care and stay healthy in this trying period!

Posted on Jan 27, 2021

Leave a comment or suggestion below

About IT Wonders:

IT Wonders is a web agency based in Johor Bahru (JB), Malaysia and Singapore. We provide responsive and custom websites unique to your needs. If you have any inquiries about your website, do not hesitate to contact us.