stopping http attacks using fail2ban

Hi,

My site was constantly under attack for .ru based IPs looking for

/mambots/search.php. I was using Joomla on this website and my website was hacked one time.

I created a new filter in filter.d as apache-404.conf, create a new entry in jail.conf

[apache-404]

enabled = true

filter = apache-404

action = iptables[name=WWW, port=http, protocol=tcp]

sendmail-whois[name=www, dest=richard@mydomain.net, sender=fail2ban@mydomain.net]

logpath = /var/log/httpd/access_log

maxretry = 2

working all fine … this is really great.

Richard

18 Replies

Just to give an idea ..with 5 minutes 10 hosts were blocked.

So you can imagine the constant attacks ..

Richard

fail2ban does not provide any added security. It merely helps keeps your log files clean. If you were hacked without it, and haven't fixed the underlying problem, you'll be hacked with it.

@Guspaz:

fail2ban does not provide any added security. It merely helps keeps your log files clean. If you were hacked without it, and haven't fixed the underlying problem, you'll be hacked with it.

fail2ban doesn't provide any security? What's the "ban" part then?

I agree that it won't stop vulnerable code from being exploited, but that should stop attemps to brute force passwords. Or do you know something I don't?

The "ban" part is what keeps your log files a bit cleaner. It won't stop a botnet from brute forcing a password, and since it removes bans after a few minutes, even for single hosts it only slows down brute force attempts. If you're afraid of brute forced passwords, switch to key-based auth.

fail2ban does not provide any extra security; anybody relying on it for this purpose is in for a nasty surprise.

You'd be better off with http://www.modsecurity.org/ to protect from potential exploits. Of course nothing beats well written code ;)

@Guspaz:

fail2ban does not provide any extra security; anybody relying on it for this purpose is in for a nasty surprise.

Maybe you're using it differently than I am, but my fail2ban watches logs, and when someone fails more than the specified amount, it adds a iptables filter to block them. So I have no idea what you're talking about.

So what happens if they have a bot net with 100 ips and say your script blocks after 5 bad attempts, they have 500 attempts to crack you.

Something like mod sec filters every bad request stopping the exploit, fail2ban only prevents things like log flooding and DoS attacks (not so good at DDoS)

@obs:

Of course nothing beats well written code
Be sure to let us know if you find some.

I use both fail2ban and iptables rate limiting.

These sites are helpful too:

http://www.countryipblocks.net/

http://www.okean.com/thegoods.html

@obs:

So what happens if they have a bot net with 100 ips and say your script blocks after 5 bad attempts, they have 500 attempts to crack you.

Something like mod sec filters every bad request stopping the exploit, fail2ban only prevents things like log flooding and DoS attacks (not so good at DDoS)

I'm not saying installing fail2ban will give your server magical protection. But assuming a server with fail2ban vs one without, fail2ban increases security. Given your example, I'd rather them have 500 attempts than the fairly unlimited number they'd otherwise have.

While it's useful to point out the limitations of security techniques, broad statements like "fail2ban doesn't increase security" are counterproductive.

Security is like an onion. There are layers, and no single layer is going to do all the work. fail2ban is just a layer, albeit a feeble one.

@akerl:

I'm not saying installing fail2ban will give your server magical protection. But assuming a server with fail2ban vs one without, fail2ban increases security. Given your example, I'd rather them have 500 attempts than the fairly unlimited number they'd otherwise have.

But, by default at least, they do have an unlimited number of tries. fail2ban removes bans after a few minutes for several reasons. This is ignoring the fact that large botnets can have millions of compromised machines… But they don't even need that many.

The default setting for fail2ban is 600 seconds per ban after 3 tries.

Let's say they want to hit you 10 times per second. This would require only 2000 machines, which is tiny for a botnet.

@akerl:

While it's useful to point out the limitations of security techniques, broad statements like "fail2ban doesn't increase security" are counterproductive.

It's not counterproductive, it's a productive warning to say "Don't rely on fail2ban, it provides no added security, at best it merely slows down brute force attacks but does nothing to prevent them."

A false sense of security is dangerous.

@Guspaz:

Don't rely on fail2ban, it provides no added security, at best it merely slows down brute force attacks but does nothing to prevent them.

Correct me if I'm wrong, but "slow(ing) down brute force attacks" sounds suspiciously like security to me. Arguing counter to that is like arguing that having a lock on your door doesn't secure your house. Anyone who wants to get in will quickly and easily bypass your lock, but you don't see many people arguing for lockless front doors.

The only way to prevent brute force attacks in the manner you seem to be implying is to turn off your server. As long as you have open ports, someone will be able to jump through hoops and brute force you if they want to badly enough.

@akerl:

Arguing counter to that is like arguing that having a lock on your door doesn't secure your house.
No, having fail2ban on your house means you have a guy by the door who takes away the burglars keyring after he tries three incorrect keys, but then gives it back 10 minutes later.

@pclissold:

No, having fail2ban on your house means you have a guy by the door who takes away the burglars keyring after he tries three incorrect keys, but then gives it back 10 minutes later.

My point is that this is a step up from the burglar trying all 1000 keys at once. There is a vast area between "no added security" and "ideal security", and fail2ban is one part of the transition from A to B.

I agree that it doesn't fully secure your server. But it does provide some security. Saying it doesn't is false.

True statement -> "Fail2ban alone does not provide enough security to protect a server."

False statement -> "Fail2ban does not add security."

Can we agree on "it will slow down honorable gentlemen who are trying to fill up /var/log"?

That's security, I suppose.

@pclissold:

@akerl:

Arguing counter to that is like arguing that having a lock on your door doesn't secure your house.
No, having fail2ban on your house means you have a guy by the door who takes away the burglars keyring after he tries three incorrect keys, but then gives it back 10 minutes later.

This^^

@bcoker:

@pclissold:

@akerl:

Arguing counter to that is like arguing that having a lock on your door doesn't secure your house.
No, having fail2ban on your house means you have a guy by the door who takes away the burglars keyring after he tries three incorrect keys, but then gives it back 10 minutes later.

This^^

Thank you for necroposting this dead argument with your wisdom.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct