Fail2ban is an open-source software that provides a security application for servers by monitoring system logs for failed login attempts and other suspicious activities. When a user exceeds a specified number of failed logins attempts or performs any suspicious activity, Fail2ban automatically bans the user’s IP address for a specified amount of time. This helps to prevent brute-force attacks and other security threats on the server.
Fail2ban supports a wide range of services, including SSH, FTP, SMTP, HTTP, and many more. It uses regular expressions to analyze log files and identify patterns of suspicious behaviour. Fail2ban is highly customizable, allowing users to configure various parameters, such as the number of failed login attempts required for a ban and the duration of the ban.
Fail2ban is widely used in the Linux community and is considered an essential tool for securing servers against attacks. It is easy to install and configure, and it is compatible with most Linux distributions.
Linux Server
Wazuh Server/Cluster
Install Fail2ban using apt
sudo apt-get install fail2ban
Change directory to fail2ban config
cd /etc/fail2ban/jail.d/
Make a new file for ssh name sshd.conf using vim
vim sshd.conf
and add these settings
[sshd]
enabled=true
port=22
logpath=/var/log/auth.log
maxretry=3
bantime=86400
The ssh runs on port 22 by default and its logs fall in auth.log file in /var/log. It is going to monitor those logs and check for fail logs . When the fail retry reaches 3 for a given user. That user is banned for 1 day.
Add the wazuh agent into the linux server
And add its log file path in config file and restart the agent.
Add decoders for fail2ban service in the
Restart the manager
Adding fail2ban usecases
Make the following dashboard
Fail2ban is a very good way to block brute force attacks in ssh/apace services and can be used for servers which are internet facing with no firewall in front.