© Flavijus Piliponis, 123RF.com
The fail2ban intrusion prevention framework
Ban-Aid
The few sys admins who haven't heard of fail2ban are likely to be just starting out or focus on areas other than server administration. In my experience, it's quite rare that really small utilities can affect the way you run your servers to the extent that fail2ban does, which certainly explains its popularity.
The fail2ban feather-weight set of scripts easily integrate with popular firewalls and, among other things, catches any failed logins for services that you're running and then bans the IP address of the offender after a certain number of failed attempts. Admittedly, that sounds like quite simple functionality, but when you get down to the innards of the software, it's a truly powerful tool.
I had been using fail2ban on SSH login failures, probably it's most common usage, before I became increasingly annoyed with web server logs filling up with nefarious probes attempting to compromise PHP with remote exploits (and a myriad of other HTTP attacks). It got to the point at where a large proportion of the Apache logs were failed attempts to find hidden directories or non-existent Joomla installations among the legitimate hits on the websites.
Also, I ran a few mail servers that allowed mail relaying via SASL password authentication [1], which (and there are other ways of running the authentication side) had system user accounts with PAM [2] checking for correct passwords. I had set the SASL user accounts so that a shell login couldn't be used to access the server, but I was still more than aware that having a piece of software so readily open to abuse by brute force was far from ideal. So, fail2ban stepped forward yet again; I could simply ban any IP that entered the wrong password three times for as long as I wanted.
From the scenarios above, I hope you will agree that fail2ban can be applied in all sorts of
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Build a honeypot with real-world alerts
The honeyBot tools create a honeypot that activates an alert in the real world. -
Apache Storm
We take you through the installation of a Storm cluster and discuss how to create your own topologies. -
Routing with Quagga
Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.
-
Dynamic routing in Linux with Quagga
Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process. -
Protecting your web application infrastructure with the Nginx Naxsi firewall
One of the best-kept secrets about the popular Nginx web server is the Naxsi web application firewall.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
