Fail2Ban is a very small and relatively simple IDS. This tool will scan your logs against predefined patterns and will block abusers.
Fail2Ban uses 3 concepts:
- filters are the regular expressions you want to look for
- actions are the steps you want to take when you find something
- jails are what you create to tie together a log file, a filter and an
action
The tool already provides many jail configs, but we need a custom one because we'll be using a custom log format (we'll be securing a PHP Login API against brute force attacks).
Here are the steps needed to get this working:
[cc lang='bash']
\$ apt-get install fail2ban
# create the custom jail
\$ cat \<\<'EOF' > /etc/fail2ban/jail.local
[api-login]
enabled = true
port = http,https
filter = api-login
backend = polling
logpath = /var/log/api/user-login
maxretry = 3
bantime = 600
EOF
# create the custom filter
\$ cat \<\<'EOF' > /etc/fail2ban/filter.d/api-login.conf
[Definition]
# log pattern
#2014-06-13T11:19:27+00:00,n/a,41.71.144.64,,
#2014-06-13T11:24:04+00:00,failed,41.71.144.64,admin,admin
failregex = .*,(failed|n/a),
ignoreregex =
EOF
# test the filter
\$ fail2ban-regex /var/log/api/user-login
/etc/fail2ban/filter.d/api-login.conf
\$ service fail2ban start
\$ fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: api-login
\$ fail2ban-client status api-login
Status for the jail: api-login
|- filter
| |- File list: /var/log/api/user-login
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
\$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-api-login tcp -- anywhere anywhere multiport dports www,https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-api-login (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
# logs
\$ tail -f /var/log/fail2ban.log
[/cc]