less fail2ban-how-to-setup-with-blocklist-reporting.md
Fail2Ban: how-to setup with Blocklist reporting
# historical archive — written years ago, kept as it was. Some info is dated.
Today we will install and configure fail2ban not only so that it blocks any threats against our system, but so that it contributes to reporting the origin of attacks to the blocklist.de site.
So, our system will be able to read the signals of suspicious activity directed at our server and activate the appropriate firewall protections.
What’s under the hood?! (What is all this about?)
Fail2ban combs through our log files (e.g. /var/log/apache/error_log) and blocks the IPs that behave abnormally (failed password attempts, sending of exploits, etc..). Once Fail2ban has identified the threat, it will instruct our firewall to prevent that IP, for a set period of time, from continuing with its purpose. It can also perform other specific actions, such as sending an email to the system administrator with the details of the threat and various reports on the blocked IP.
At installation time Fail2ban already comes with a proper set of filters for various services (apache, courier, postfix, dovecot, ssh, etc..). We will see how to implement them and make them, if anything, more stringent and performant.
Pay attention: Fail2ban will also be able to detect any threats that idlers may launch against our server, but nothing can prevent anyone from breaching a system that uses poor protection/authentication factors!
Make sure your system is up to date! (if it isn’t… well … do it!!!)
LET’S ENABLE FAIL2BAN
Let’s install what is needed
apt-get install fail2ban
Before proceeding further, go to blocklist.de and register. Add your servers and obtain a related API-Key for each of them. For each server assign a unique email!!!
LET’S PROCEED WITH THE CONFIGURATION
Now, the configuration files that are installed through the fail2ban package are a bit bare. We will replace them with something more performant that already contains everything needed to send our reports to blocklist.de!
Download the following .zip file from github.com
cd /tmp; wget -c https://github.com/fail2ban/fail2ban/archive/master.zip -O fail2ban.zip
unzip fail2ban.zip
If the service is already active, let’s stop it and proceed to replace the configuration files (better if you make a backup of the /etc/fail2ban folder):
service fail2ban stop
cd /tmp/fail2ban-master
rm -rf /etc/fail2ban/*
cp -arfv config/* /etc/fail2ban/
Almost done…
Now all we have to do is create the file /etc/fail2ban/jail.local. This file will override every other configuration, tailoring everything to our needs.
vi /etc/fail2ban/jail.local
I’ll leave you, by way of example, my jail.local. You will notice that there is a modification of the default reporting behavior. In addition to the report, an email will be sent to the administrator with the details of both the IP and the type of threat. Remember to replace the email data and the API key assigned to your server…
Maybe I forgot to tell you one thing: the reporting of the relevant IP needs to be confirmed. You will therefore receive an email to confirm that the report is valid.
Contributing to making the network a better place is everyone’s duty, so take this seriously and good luck!