Fail2Ban is a powerful security tool that actively monitors log files, identifies malicious activity, and takes preventive measures to block or limit access from potentially harmful IP addresses. In this article, we'll explore different scenarios where Fail2Ban proves its effectiveness in thwarting various types of attacks, along with the corresponding regex filters used for each scenario.
Scenario 1: SSH Brute-Force Attack
1. Event:
Multiple failed login attempts are detected in the SSH server log.
Authentication failure for user john from 203.0.113.5 port 22 ssh2
Authentication failure for user john from 203.0.113.5 port 22 ssh2
Authentication failure for user john from 203.0.113.5 port 22 ssh2
2. Fail2Ban action:
Fail2Ban detects the repeated failures and matches them against the configured SSH jail rules. The offending IP address (203.0.113.5) is banned for a specified period.
- Filter (regex pattern):
failregex = ^Authentication failure for user \S+ from <HOST> port \d+
3. Log entry:
A corresponding log entry is generated in the Fail2Ban log.
Ban 203.0.113.5
4. Result:
The IP address 203.0.113.5 is blocked from further SSH access for the configured ban time.
Scenario 2: Web Server (Apache) Brute-Force Attack
1. Event:
Numerous failed login attempts are detected in the Apache web server logs.
[error] [client 203.0.113.6] user john: authentication failure for "/secure-area": Password Mismatch
[error] [client 203.0.113.6] user john: authentication failure for "/secure-area": Password Mismatch
[error] [client 203.0.113.6] user john: authentication failure for "/secure-area": Password Mismatch
2. Fail2Ban action:
Fail2Ban identifies the pattern of failed login attempts in the Apache logs and triggers the appropriate jail. The IP address 203.0.113.6 is banned for a specified duration.
- Filter (regex pattern):
failregex = ^\[error\] \[client <HOST>\] user \S+: authentication failure for ".+": Password Mismatch
3. Log entry:
A log entry is recorded in the Fail2Ban log.
Ban 203.0.113.6
4. Result:
Access from the IP address 203.0.113.6 is denied for the configured ban time, protecting the web server.
Scenario 3: Custom application log monitoring
1. Event:
Unusual patterns or errors are detected in a custom application log file.
[custom-app] Invalid API request from IP 203.0.113.7: unauthorized access
[custom-app] Invalid API request from IP 203.0.113.7: unauthorized access
2. Fail2Ban action:
A custom Fail2Ban filter is configured to match specific patterns in the custom application log. Fail2Ban identifies the unauthorized access attempts and bans the IP address 203.0.113.7.
- Filter (regex pattern):
failregex = ^\[custom-app\] Invalid API request from IP <HOST>: unauthorized access
3. Log entry:
A log entry is generated in the Fail2Ban log.
Ban 203.0.113.7
4. Result:
The IP address 203.0.113.7 is blocked, preventing further unauthorized access to the custom application.
Scenario 4: FTP Server Brute-Force Attack
1. Event:
Repetitive failed login attempts are detected in the FTP server logs.
[ftp] Authentication failed for user jane from 203.0.113.8 port 21
[ftp] Authentication failed for user jane from 203.0.113.8 port 21
[ftp] Authentication failed for user jane from 203.0.113.8 port 21
2. Fail2Ban action:
Fail2Ban monitors the FTP server logs and recognizes the pattern of unsuccessful login attempts. The IP address 203.0.113.8 is identified as a potential threat and is banned for a specified time.
- Filter (regex pattern):
failregex = ^\[ftp\] Authentication failed for user \S+ from <HOST> port \d+
3. Log entry:
Fail2Ban creates a log entry to document the action taken.
Ban 203.0.113.8
4. Result:
Access from the IP address 203.0.113.8 is restricted for the configured ban time, thwarting any further FTP server login attempts from the suspicious source.
Scenario 5: database server unauthorized access
1. Event:
Suspicious activities are detected in the database server logs, indicating unauthorized access.
[database] Unauthorized connection attempt from IP 203.0.113.9: Access Denied
[database] Unauthorized connection attempt from IP 203.0.113.9: Access Denied
[database] Unauthorized connection attempt from IP 203.0.113.9: Access Denied
2. Fail2Ban action:
Fail2Ban's custom filter for database server logs triggers as it identifies the unauthorized connection attempts. The IP address 203.0.113.9 is automatically banned for a specific duration.
- Filter (regex pattern):
failregex = ^\[database\] Unauthorized connection attempt from IP <HOST>: Access Denied
3. Log entry:
Fail2Ban records the ban action in its log file.
Ban 203.0.113.9
4. Result:
The IP address 203.0.113.9 is barred from accessing the database server for the configured ban time, safeguarding sensitive data from potential unauthorized access.
These scenarios demonstrate how Fail2Ban, with its flexible configuration and regex-based filtering, actively responds to security events across various services, automatically banning IP addresses exhibiting suspicious behavior. Regular monitoring of Fail2Ban logs provides insights into ongoing security incidents and helps maintain the integrity of the protected systems.