Fail2ban Rationale

Overview

If you build it, they will come. And that includes hackers. Open any port to the internet and hackers will try and force their way in. Being secure is the first step. The second is vigilance. Use fail2ban to watch your logfiles and take action against attempted hacks by dropping them at the firewall.

Background

In order to access files while I was away from home, and share them with others, I installed pure-FTPd on my home NAS. I'd configured it to only accept explicit SSL connections (TLS) and created a handful of user accounts. This is a fairly conventional way to share files, but not one without risks.

The Problem

I was being brute-force attacked by legions of bots out on the internet. I had noticed a constant low level of traffic in my boarder traffic graphs and In looking at my FTP logs I saw hundreds of thousands of failed log on attempts.

Mostly this was an annoyance. There was a very low probability that any of these brute force dictionary attacks would succeed, mostly because I had configured the server to only accept explicit SSL connections and none of the bots were were smart enough to recognize this.

However, the situation was still not acceptable. Hackers were taking up my bandwidth, and it would only be a matter of time before a smarter bot came along and started to actually connect using SSL. Then it would be up to the strength of the passwords I had picked.

Possible Solutions

One approach was to use Access Controls and restrict what IPs could connect. This is what I used with the other services I presented. Another avenue was to use an intrusion prevention framework. There are numerous ones that feed off the sshd log files and use tcp wrappers.

The Answer: fail2ban

A good intrusion prevention system was the way to go, as I couldn't always know in advance where I would be connecting from. In the end, there was only one open-source product that had the flexibility to read predefined or arbitrary log file and take both predefined or user generated actions; fail2ban.

By using a system that let me create my own actions, I could go the extra mile and block hackers at the boarder.
ċ
iptables-allports-router.local
(2k)
Allen Gattis,
Nov 22, 2009, 12:31 PM
Comments