main

Advanced Policy Firewall and Fail2ban SSH Jails


I use APF to control IPTables and recently had to setup a server listening on the default SSH port so I had to install additional security to safe guard my SSH port.

Fail2ban scans log files for failures and bans IPs that show too many password failures or other dodgy traites. Fail2Ban can update the firewall to include these IP's in a deny list

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Fail2Ban comes with many configurations known as Jails. You can view all the jails in
/etc/fail2ban/jail.conf

For use with APF I will be disabling the normal SSH-IPTables jail

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

and enabling the APF variant

[ssh-apf]

enabled = true
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

This will change the way fail2ban bans IP addresses by using the apf -d function rather than directly putting into IPTables

You can check the current status of the jail with

[root@srv0 ~]# fail2ban-client -i
Fail2Ban v0.8.14 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status ssh-apf
Status for the jail: ssh-apf
|- filter
|  |- File list:	/var/log/secure 
|  |- Currently failed:	0
|  `- Total failed:	83187
`- action
   |- Currently banned:	0
   |  `- IP list:	
   `- Total banned:	1045

Banning all the chinabotz!
You can look up full list of commands to use with fail2ban-client here http://www.fail2ban.org/wiki/index.php/Commands