Rustam A. Gasanov

$ echo "Inspired developer's blog" > /dev/null

Fail2ban in Action

| Comments

Just checked the journal of my server and discovered it’s under(luckily unsuccessful) attack for quite a period of time. Quick check through the journal has revealed numerous ssh login attempts:

1
$ journalctl --since "2017-02-15 11:50:00"

Well, it is a nasty situation. Putting all those ips to iptables manually would be painful and would require to check the journal every day for new attacker’s ip entries. Fortunately, this task is easily solvable with fail2ban utility.

1
$ apt-get install fail2ban

It works out of the box under systemd supervision, but it is a reasonable idea to check config and adjust some settings like bantime/findtime or recidive block:

1
2
3
4
$ cd /etc/fail2ban
$ cp jail.conf jail.local  # Generating local config out of default one
$ vim jail.local           # Make your changes and save it
$ service fail2ban restart

Now it’s time to check logs

1
$ tail -f /var/log/fail2ban.log

Boom, banhammer in action:

Corresponding entries in iptables

1
$ iptables -L

Last detail: it seems like attacks were incoming from machines that are already infected. Anyway, problem is now solved.

Comments