Dynamic Rule Set (Demo): Fail2ban

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey, there Cybrarians. Welcome back to
00:00
the Linux plus course here at Cybrary.
00:00
I'm your instructor Rob Gels.
00:00
In today's lesson,
00:00
we're going to create dynamic rule sets using fail2ban.
00:00
Upon completion of today's lesson,
00:00
you are going to be able to understand
00:00
the purpose of fail2ban.
00:00
We're going to explain how fail2ban can
00:00
identify failures and then
00:00
determine the options for configuring
00:00
fail2ban during our demo at the end of the lesson.
00:00
Fail2ban is another application like
00:00
DenyHosts that we just
00:00
talked about in the previous lesson.
00:00
It generates dynamic rule sets
00:00
by monitoring system logs,
00:00
and fail2ban blocks IP addresses of attackers,
00:00
and it works with IP tables and
00:00
firewalld as well as TCP wrappers.
00:00
Remember when we looked at DenyHost
00:00
that just uses TCP wrappers.
00:00
Now, fail2ban monitors more than just open SSH.
00:00
It also checks system and
00:00
application logs for security issues.
00:00
Now, fail2ban monitor
00:00
system logs for fail authentication attempts.
00:00
Just like we saw with the DenyHost,
00:00
it's going to look at var log,
00:00
auth.log or var log secure,
00:00
but it also looks at var log PWD fail.
00:00
It also monitors application log files
00:00
such as web service or FTP log files,
00:00
so that's things like var log,
00:00
httpd, access log or var log
00:00
VSFTPD.log when we're talking about an FTP log file.
00:00
When bad login attempts or security threats are found,
00:00
fail2ban can do a few things.
00:00
It can update or add IP tables and firewalld rules,
00:00
or it can just add those hosts into etc
00:00
host.deny just like we saw with the DenyHost.
00:00
Now, fail2ban does have
00:00
a few configuration options that we should know about.
00:00
The default file is etc,
00:00
fail2ban jail.conf,
00:00
and that's a configuration file we can look in.
00:00
We're going to see some common options here.
00:00
There's an option of ban time,
00:00
which is the amount of time in
00:00
seconds to ban a hosts for.
00:00
There's also a fine time which is a period of
00:00
time in seconds in which failures are monitored,
00:00
and then maxretry is the number of failures that occur
00:00
within that fine time before a host is banned.
00:00
For example, we might have a maxretry of
00:00
five with 120 seconds gets a 600 second ban.
00:00
That means that if somebody has tried within
00:00
five times to get
00:00
in and it has failed within the two minutes,
00:00
then they get a 600 second ban and
00:00
they're not allowed to login during that time.
00:00
There are two other configuration options to know,
00:00
enabled is going to set basically ti is set up enabled.
00:00
The jail is going to be enabled here
00:00
if it's set to true and then ignore IP
00:00
allows you to create lists of IPs that
00:00
are essentially allowed through is an allow list.
00:00
These are IP addresses that are never ban.
00:00
Let's have a look at all of this with some demo time.
00:00
Here we are back in our demo environment.
00:00
Today, we're in Ubuntu and the first thing we
00:00
need to do is install fail2ban.
00:00
We're going to use sudo apt install fail2ban.
00:00
I'm going to type in my password to get
00:00
root permissions, elevate privileges,
00:00
and if we waited a few minutes here,
00:00
we're going to see that this is
00:00
installed and ready to go. There we go.
00:00
Now, let's look at the configuration file.
00:00
Now, there are a couple of configuration files here.
00:00
One that I didn't mention was that there's actually
00:00
a fail2ban.conf.
00:00
You might be tempted to say,
00:00
yeah, fail2ban.conf, that makes sense.
00:00
That's the configuration file. It's really not.
00:00
We can see right at the top that it says,
00:00
in most cases you should not modify this file,
00:00
but provide customizations in fail2ban.local.
00:00
We basically leave this the heck alone.
00:00
What we're going to want to look at
00:00
instead is like I said,
00:00
that the fault file,
00:00
which is going to be jail.conf,
00:00
so we'll change this from fail2ban.conf to jail.conf,
00:00
and in this file,
00:00
we can see the settings that we're looking for.
00:00
For example, we can see findtime.
00:00
You see the findtime there is one day.
00:00
We can see bantime.
00:00
Let's back this one out here.
00:00
Bantime is one week.
00:00
Then we can also see maxretry.
00:00
We see maxretry is one,
00:00
and then the findtime is
00:00
one day and the bantime is one week.
00:00
That means is that this system is fairly strict.
00:00
If you fail one time,
00:00
one day, you're banned for the week.
00:00
We can also see some other configurations
00:00
for monitoring things like
00:00
HTTP and mail servers
00:00
and many other applications in
00:00
here so you can search for HTTP.
00:00
Helps if you spell it right. See that right there.
00:00
We also see that it's doing things like POP3,
00:00
POP3S, IMAP, IMAPs IMAP2s, so that's mail.
00:00
Various different things are all set up here by
00:00
default for monitoring when
00:00
>> we're working with fail2ban.
00:00
>> With that, we've reached the end of this lesson.
00:00
In this lesson, we covered the purpose of fail2ban.
00:00
We also talked about how fail2ban
00:00
identifies login failures and other security issues.
00:00
Then during our demo, we saw some of
00:00
the configuration options for fail2ban.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next