Configuring Fail2Ban

Fail2Ban is a great tool block remote IP addresses from failed authentication attempts by writing iptables rules and alerts these events via email. On CentOS, Fail2ban is part of the EPEL repository.
It resolves remote IP address via whois. CentOS has pwhois (requires a symlink, ie: ln -s /usr/bin/pwhios /usr/bin/whois), but if you use jwhois, symlink isn’t needed.

To begin, install the following packages:


yum install fail2ban jwhois

Modify your monitoring actions under /etc/fail2ban/jail.conf and also mirror these changes to jail.local:


cat /etc/fail2ban/jail.conf > /etc/fail2ban/jail.local

service fail2ban stop
service fail2ban start

The global maxretry and bantime parameters are at the beginning of jail.conf. The value is in seconds;


# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3

To configure SSH monitoring:


[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, dest=simon@magrin.one, sender=alerts@magrin.one, sendername="Fail2Ban"]
logpath = /var/log/secure

Enable Fail2Ban to monitor and block IP(s) from multiple failed login attempts. Configure Roundcube to enable logging and record login events, edit /etc/roundcubemal/config.ini.php:


// ----------------------------------
// LOGGING/DEBUGGING
// ----------------------------------
// Enable system error reporting, sum of: 1 = log; 4 = show, 8 = trace
$config['debug_level'] = 8;
// Log logins
$config['log_logins'] = true;

Test that this is working by monitoring the log while logging in via Roundcube;


tail -f /var/log/roundcubemail/userlogins

Edit /etc/fail2ban/jail.conf. The 'ignoreip' parameter prevents Fail2Ban from blocking itself. Dovecot's filter's monitor both the /var/log/secure and maillog logs. Failed attempts will be recorded into these logs, which'll see and trigger Fail2Ban instate a bolck rule on it's own IP!


# "ignoreip" can be an IP address, a CIDR mask or a DNS host.
ignoreip = 127.0.0.1/8 11.22.33.44/32

The [roundcube] is denotes Roundcube's monitoring set up:


# Monitor roundcube server
[roundcube]
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=roundcube, dest=simon@magrin.one, sender=alerts@magrin.one, sendername="Fail2Ban"]
logpath = /var/log/roundcubemail/userlogins

Mirror the configuration to jail.local:

cat jail.conf > jail.local

Create a filter rule to inspect the 'userlogins' log:


touch /etc/fail2ban/filter.d/roundcube.conf

nano /etc/fail2ban/filter.d/roundcube.conf

Populate the following filter configuration:


# Fail2Ban configuration file for roundcube web server
#
[INCLUDES]
before = common.conf
[Definition]
failregex = Failed login for .*. from <HOST>
ignoreregex =

Restart the fail2ban service and test on a remote device (mobile) and simulate enough failed attempts to test the rule.