fail2ban syntax

[Red Squirrel]

I googled but can't seem to find any tutorial on this. I would like to understand what the fail2ban syntax is and how it works, as I would like to create my own custom "jails". Anyone know of a good resource on this?

For example this is the code for ssh, but I'm not sure what the format is and what the characters and such mean, so would be nice to have a tutorial on that. Oddly the fail2ban site does not seem to talk much about making custom rules and how the syntax works.

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

 

[ArisVer]

The manual page of fail2ban is almost useless. It looks like the configuration is made through the jail.conf file or by creating a jail.local file.
Googling around I haven't found much as well. Some pages that might be worth looking at.

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

http://www.thegeekstuff.com/2010/07/fail2ban-howto/

http://www.the-art-of-web.com/system/fail2ban-howto/

http://wiki.gentoo.org/wiki/Fail2ban


It also looks like this post has been posted here.
http://hardware.techassistbox.com/fail2ban-syntax_6695295.html

 

[LCTSI]

Is this a public ssh/sftp box? If not, could you come from the other end and just whitelist the authorized devices?

I'm not a big fan of ssh jails with fail2ban, it just doesn't bring a lot to the table for ssh in particular.

 

[Red Squirrel]

Is this a public ssh/sftp box? If not, could you come from the other end and just whitelist the authorized devices?

I'm not a big fan of ssh jails with fail2ban, it just doesn't bring a lot to the table for ssh in particular.

It's internet facing, but it's mostly just me using it. It's really only me actually logging in to pop3s. So that's what I'm actually thinking of doing if I can't get fail2ban working but it would be nice to get it working anyway. Problem is I don't have a static IP at home and I don't have the option of getting a static IP, so it's kind of a pain having to login and change it all the time. For whatever reason my ISP has DHCP lease set to like 10 minutes so a very small blip or a period where I'm saturating my connection to the point where DHCP requests take too long and the IP changes.

For SSH fail2ban is a must otherwise it would take only a few hours to get hacked. There's tons of bots out there for SSH brute force. Does not really matter how strong your password is or how often you change it, with all the brute force bots hitting it at once they'll eventually get in.

Mind you I do have it running on a non standard port with no root logons but still, I rather just block the attempts.

What I think I might do is block pop3/pop3s at the firewall and setup my local home server to just establish a ssh tunnel then fetchmail through it. More secure than having pop3 wide open as well.

Really I find it retarded that these server apps don't have brute force protection built in. This is probably just as important, if more, than encryption.

With all these companies getting hacked left and right these days, I just realized that I'm probably not doing what I can to stay secure. I'm just not as likely to be targeted but I don't want to bank on that fact alone.

I suppose another option is to write my own fail2ban type app, it's not exactly something that hard to do.

 

[LCTSI]

It's internet facing, but it's mostly just me using it. It's really only me actually logging in to pop3s. So that's what I'm actually thinking of doing if I can't get fail2ban working but it would be nice to get it working anyway. Problem is I don't have a static IP at home and I don't have the option of getting a static IP, so it's kind of a pain having to login and change it all the time. For whatever reason my ISP has DHCP lease set to like 10 minutes so a very small blip or a period where I'm saturating my connection to the point where DHCP requests take too long and the IP changes.

For SSH fail2ban is a must otherwise it would take only a few hours to get hacked. There's tons of bots out there for SSH brute force. Does not really matter how strong your password is or how often you change it, with all the brute force bots hitting it at once they'll eventually get in.

Mind you I do have it running on a non standard port with no root logons but still, I rather just block the attempts.

What I think I might do is block pop3/pop3s at the firewall and setup my local home server to just establish a ssh tunnel then fetchmail through it. More secure than having pop3 wide open as well.

Really I find it retarded that these server apps don't have brute force protection built in. This is probably just as important, if more, than encryption.

With all these companies getting hacked left and right these days, I just realized that I'm probably not doing what I can to stay secure. I'm just not as likely to be targeted but I don't want to bank on that fact alone.

I suppose another option is to write my own fail2ban type app, it's not exactly something that hard to do.

What I would do here is just VPN home, and use dynamic DNS at home. Then you can pop3/pop3s or ssh as you want. See duckdns
The changing IP isn't an insurmountable issue for firewall whitelisting, you can just run a dig against a dynamic dns address every so often via a cron job to create an iptables rule to permit your access. I did this from 2002-2012 without any issues.

But no, they won't brute force your account in your lifetime, and certainly not in a few hours. They don't even know your account name.
It's trivial though to use only key auth, which they will never be able to brute force even if they know the account name.

For all of those reasons, SSH fail2ban is a solution in search of a problem in most scenarios.
Non-standard SSH daemon ports over 1024 are bad idea in most scenarios as well, because it's an unprivileged port.

 

[Red Squirrel]

What I would do here is just VPN home, and use dynamic DNS at home. Then you can pop3/pop3s or ssh as you want. See duckdns
The changing IP isn't an insurmountable issue for firewall whitelisting, you can just run a dig against a dynamic dns address every so often via a cron job to create an iptables rule to permit your access. I did this from 2002-2012 without any issues.

But no, they won't brute force your account in your lifetime, and certainly not in a few hours. They don't even know your account name.
It's trivial though to use only key auth, which they will never be able to brute force even if they know the account name.

For all of those reasons, SSH fail2ban is a solution in search of a problem in most scenarios.
Non-standard SSH daemon ports over 1024 are bad idea in most scenarios as well, because it's an unprivileged port.

I've had (test) boxes hacked in a matter of hours without fail2ban... using default port mind you and a standard 8 character password. There are tons of bots and other nasties out there so it really does not take long when there's no brute force protection. It's never a matter of if but a matter of when. It's actually a fun experiment to do, setup a VM on a separate vlan (so it's not exposed to your network) and enable ssh on port 22 with a basic enough password like username test and an alpha numeric password.

Give it about an hour. Thankfully there does not seem to be such bots for pop3 though, but I still need to be proactive.

I think I may just go the SSH tunnel route if I can't get fail2ban to work. You would think the documentation would be better but it really does suck, it seems you are stuck using whatever comes standard with it and that's it as they don't explain the syntax.

 

[LCTSI]

I've had (test) boxes hacked in a matter of hours without fail2ban... using default port mind you and a standard 8 character password. There are tons of bots and other nasties out there so it really does not take long when there's no brute force protection. It's never a matter of if but a matter of when. It's actually a fun experiment to do, setup a VM on a separate vlan (so it's not exposed to your network) and enable ssh on port 22 with a basic enough password like username test and an alpha numeric password.

Give it about an hour. Thankfully there does not seem to be such bots for pop3 though, but I still need to be proactive.

I think I may just go the SSH tunnel route if I can't get fail2ban to work. You would think the documentation would be better but it really does suck, it seems you are stuck using whatever comes standard with it and that's it as they don't explain the syntax.

But how did they know your usernames?

There are 218,340,105,584,896 combinations in an 8-char alphanumeric PW. This isn't a large key space for offline attacks, but it's not something that's even possible in a couple of hours for remote.

8-Char Alphanumeric:
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 70.56 centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 36.99 minutes
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 2.22 seconds

Now I do have dozens of machines out in the wild with thousands of accounts apiece... no brute force, it's been 12 years now. The account compromises we get alerts for are always end-users getting trojans. :shrug: Are you sure your machine is clean?

FWIW you can rate-limit connections to port 22 with iptables. You could do it by the dst port or per source IP. Just Google the "recent" module for netfilter.
You can also blacklist with pam_abi, which will prevent a lot of brute force attacks from inside PAM.
Alternatively you could just ignore the log entries that the failed attempts create. They're not getting in, and they only have brute success on horrendously simple passwords for default accounts, so no need to worry.

 

[Red Squirrel]

But how did they know your usernames?

There are 218,340,105,584,896 combinations in an 8-char alphanumeric PW. This isn't a large key space for offline attacks, but it's not something that's even possible in a couple of hours for remote.

8-Char Alphanumeric:
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 70.56 centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 36.99 minutes
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 2.22 seconds

Now I do have dozens of machines out in the wild with thousands of accounts apiece... no brute force, it's been 12 years now. The account compromises we get alerts for are always end-users getting trojans. :shrug: Are you sure your machine is clean?

FWIW you can rate-limit connections to port 22 with iptables. You could do it by the dst port or per source IP. Just Google the "recent" module for netfilter.
You can also blacklist with pam_abi, which will prevent a lot of brute force attacks from inside PAM.
Alternatively you could just ignore the log entries that the failed attempts create. They're not getting in, and they only have brute success on horrendously simple passwords for default accounts, so no need to worry.

Well to be fair, in my case the username was "test" so it was probably one of the first ones it tried during the dictionary attack. The password was also a simple password as it was just a test server. (I had no idea it would get hacked that fast at the time).

The number of combinations does not mean they have to all be tried.

Either way it's always a question of when and not if, so brute forcing is something that needs to be stopped automatically. It has been the way it is now for a very long time and I've been fine though but still don't want to bank on that fact. Better to be proactive and not reactive.

I forgot about rate limiting connections though, I'll have to experiment with that. Port 22 is covered, fail2ban works for it, but it's pop3 and pop3s I need to protect. Basically to stop someone from eventually getting into a pop account. The passwords I'm using are ridiculously complex and long though so not THAT worried, but still want to protect it anyway.

 

[ArisVer]

Check through the index and see if there is anything that might be useful to you.

https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html#contents