Fail2Ban Custom Jails: 20 Example Configurations

In today’s digital landscape, protecting your system from unauthorized access is essential. Fail2Ban is an open-source security tool that can help. It automatically scans log files for suspicious behavior and bans offending IP addresses, preventing further unauthorized access attempts. Custom jails provide an additional layer of security, allowing you to create tailored filters and actions for specific applications or services. This article will explore 20 example configurations for custom jails, with example commands and configuration settings to help you get started.

How Fail2Ban works

Fail2Ban is an open-source security tool designed to protect your server from unauthorized access by scanning log files for multiple failed login attempts or other malicious activities. When it detects such activity, it bans the offending IP address, preventing further unauthorized access attempts. This helps to minimize the risk of brute-force attacks and other security threats.

Benefits of using Fail2Ban

Fail2Ban provides several key benefits to help keep your server secure:

  • Automatic IP blocking: Fail2Ban scans log files and automatically bans IP addresses exhibiting suspicious behavior.
  • Customization: You can create custom jails and filters tailored to your server’s specific needs.
  • Extensibility: Fail2Ban supports a variety of services and applications, allowing for comprehensive protection.

Understanding Custom Jails

Why create custom jails?

Custom jails provide an additional layer of security by allowing you to specify unique filters and actions for specific applications or services. By creating custom jails, you can better protect your server from targeted attacks and ensure optimal performance.

Components of a custom jail

To create a custom jail, you must understand its three main components: filter, action, and configuration.

Filter

A filter specifies the pattern that Fail2Ban searches for within the log files. This pattern is typically a regular expression that matches the log entries indicating malicious activity. By creating custom filters, you can identify and block specific types of attacks, such as repeated login attempts or brute-force attacks.

Action

An action specifies what Fail2Ban should do once it detects a match in the log files. This can include banning the offending IP address, sending notifications, or executing custom scripts. By defining custom actions, you can respond to attacks in a way that fits your security needs.

Jail configuration

The jail configuration ties the filter and action together, specifying the log file to monitor, the ban time, and other parameters. By customizing these settings, you can fine-tune your custom jail to meet the specific needs of your server.

Understanding these components allows you to create custom jails that provide targeted protection against specific security threats.

20 Example Configurations of Custom Jails

This section explores 20 example configurations for custom jails. These examples can help you better understand how to create custom filters, actions, and configurations to secure your server. Each configuration is designed to protect against a specific type of security threat, such as SSH brute-force attacks or Nginx HTTP authentication attacks.

It’s important to note that these examples are just a starting point – they can be customized to fit the unique needs of your server. As discussed earlier, you can create custom jails that provide targeted protection against specific security threats by understanding the components of a custom jail.

1-5

  1. SSH brute-force protection:

Create a custom jail to protect against SSH brute-force attacks by scanning the SSH log file for multiple failed login attempts within a specified timeframe.

[sshd-custom]
enabled = true
filter = sshd
logpath = /var/log/auth.log
bantime = 3600
findtime = 600
maxretry = 3
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]
  1. Nginx HTTP authentication:

Configure a jail to protect against brute-force attacks targeting Nginx HTTP authentication by monitoring Nginx log files for repeated failed authentication attempts.

[nginx-http-auth-custom]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=nginx, port="http,https", protocol=tcp]
  1. Postfix SMTP authentication:

Set up a custom jail to protect your Postfix mail server against SMTP brute-force attacks by monitoring Postfix log files for repeated authentication failures.

[postfix-smtp-auth-custom]
enabled = true
filter = postfix-auth
logpath = /var/log/mail.log
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=postfix, port="smtp", protocol=tcp]
p", protocol=tcp]
  1. Dovecot IMAP/POP3 authentication:

Implement a custom jail to secure your Dovecot mail server against IMAP and POP3 authentication brute-force attacks by monitoring Dovecot log files for repeated authentication failures.

[dovecot-imap-pop3-auth-custom]
enabled = true
filter = dovecot-auth
logpath = /var/log/dovecot.log
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=dovecot, port="imap,imaps,pop3,pop3s", protocol=tcp]
  1. WordPress login protection:

Create a custom jail to protect your WordPress website against brute-force login attacks by scanning the access log for multiple failed login attempts.

[wordpress-login-custom]
enabled = true
filter = wordpress-auth
logpath = /var/log/nginx/access.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]

6-10

  1. MySQL authentication protection:

Secure your MySQL server against brute-force attacks targeting the MySQL authentication by monitoring the MySQL error log.

[mysql-auth-custom]
enabled = true
filter = mysql-auth
logpath = /var/log/mysql/error.log
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=mysql, port="3306", protocol=tcp]
  1. FTP login protection:

Set up a custom jail to protect your FTP server from brute-force login attacks by monitoring the FTP server log.

[vsftpd-custom]
enabled = true
filter = vsftpd
logpath = /var/log/vsftpd.log
bantime = 3600
findtime = 600
maxretry = 3
action = iptables-multiport[name=vsftpd, port="ftp", protocol=tcp]
  1. Apache authentication protection:

Configure a custom jail to protect your Apache server against brute-force attacks targeting the HTTP authentication by scanning Apache log files.

[apache-auth-custom]
enabled = true
filter = apache-auth
logpath = /var/log/apache2/error.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=apache, port="http,https", protocol=tcp]
  1. Roundcube webmail login protection:

Implement a custom jail to protect your Roundcube webmail against login brute-force attacks by monitoring the Roundcube log files.

[roundcube-auth-custom]
enabled = true
filter = roundcube-auth
logpath = /var/log/roundcube/errors.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=roundcube, port="http,https", protocol=tcp]
  1. Samba file sharing protection:

Create a custom jail to protect your Samba file-sharing server against brute-force attacks by monitoring the Samba log files.

[samba-custom]
enabled = true
filter = samba
logpath = /var/log/samba/log.*
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=samba, port="139,445", protocol=tcp]

11-15

  1. Joomla login protection:

Set up a custom jail to protect your Joomla website against login brute-force attacks by scanning the access log for failed login attempts.

[joomla-login-custom]
enabled = true
filter = joomla-auth
logpath = /var/log/nginx/access.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=joomla, port="http,https", protocol=tcp]
  1. Drupal login protection:

Create a custom jail to secure your Drupal website against login brute-force attacks by monitoring the access log for multiple failed login attempts.

[drupal-login-custom]
enabled = true
filter = drupal-auth
logpath = /var/log/nginx/access.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=drupal, port="http,https", protocol=tcp]
  1. Moodle login protection:

Implement a custom jail to protect your Moodle e-learning platform from login brute-force attacks by scanning the access log for repeated failed login attempts.

[moodle-login-custom]
enabled = true
filter = moodle-auth
logpath = /var/log/nginx/access.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=moodle, port="http,https", protocol=tcp]
  1. Nextcloud login protection:

Configure a custom jail to protect your Nextcloud instance against login brute-force attacks by monitoring the Nextcloud log file for multiple failed login attempts.

[nextcloud-login-custom]
enabled = true
filter = nextcloud-auth
logpath = /var/nextcloud/data/nextcloud.log
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=nextcloud, port="http,https", protocol=tcp]
  1. ProFTPD login protection:

Set up a custom jail to secure your ProFTPD server against brute-force login attacks by scanning the ProFTPD log file for repeated failed login attempts.

[proftpd-custom]
enabled = true
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
bantime = 3600
findtime = 600
maxretry = 3
action = iptables-multiport[name=proftpd, port="ftp", protocol=tcp]

16-20

  1. OpenVPN authentication protection:

Create a custom jail to protect your OpenVPN server against authentication brute-force attacks by monitoring the OpenVPN log files.

[openvpn-auth-custom]
enabled = true
filter = openvpn
logpath = /var/log/openvpn.log
bantime = 3600
findtime = 600
maxretry = 3
action = iptables-multiport[name=openvpn, port="1194", protocol=udp]
  1. Exim SMTP authentication protection:

Configure a custom jail to protect your Exim mail server against SMTP authentication brute-force attacks by scanning the Exim log files.

[exim-smtp-auth-custom]
enabled = true
filter = exim-auth
logpath = /var/log/exim/main.log
bantime = 3600
findtime = 600
maxretry = 5
action = iptables-multiport[name=exim, port="smtp", protocol=tcp]
  1. Plesk panel login protection:

Implement a custom jail to secure your Plesk panel against login brute-force attacks by monitoring the Plesk log files for multiple failed login attempts.

[plesk-panel-login-custom]
enabled = true
filter = plesk-panel-auth
logpath = /var/log/plesk/panel.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=plesk, port="http,https", protocol=tcp]
  1. cPanel login protection:

Set up a custom jail to protect your cPanel server against login brute-force attacks by scanning the cPanel log files for repeated failed login attempts.

[cpanel-login-custom]
enabled = true
filter = cpanel-auth
logpath = /var/log/cpanel/login_log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=cpanel, port="2082,2083,2086,2087", protocol=tcp]
  1. Webmin login protection:

Create a custom jail to secure your Webmin server against login brute-force attacks by monitoring the Webmin log files for multiple failed login attempts.

[webmin-login-custom]
enabled = true
filter = webmin-auth
logpath = /var/log/webmin/miniserv.log
bantime = 1800
findtime = 300
maxretry = 5
action = iptables-multiport[name=webmin, port="10000", protocol=tcp]

Troubleshooting: Common Issues with Custom Fail2Ban Filters

Creating custom Fail2Ban filters can sometimes lead to errors or unexpected behavior. This troubleshooting section will discuss some common issues and how to resolve them.

Copying custom filters:

When copying custom filters from other sources, place them in the correct directory. By default, custom filters should be placed in the /etc/fail2ban/filter.d directory. After copying the filter, ensure the file has the correct permissions and ownership.

Example:

sudo cp custom-filter.conf /etc/fail2ban/filter.d/
sudo chown root:root /etc/fail2ban/filter.d/custom-filter.conf
sudo chmod 644 /etc/fail2ban/filter.d/custom-filter.conf

Incorrect log path:

Make sure the logpath directive in your custom jail configuration points to the correct log file for the application or service you are protecting. For instance, Nginx and Apache use different log paths:

  • Nginx: /var/log/nginx/access.log
  • Apache: /var/log/apache2/access.log

Example (for protecting Joomla with Nginx):

[joomla-login-custom]
enabled = true
filter = joomla-auth
logpath = /var/log/nginx/access.log
...

Incompatible regular expressions:

Ensure that the regular expressions in your custom filter match the log file format of the application or service you are protecting. Incompatible regular expressions can result in Fail2Ban not detecting failed login attempts correctly.

To test your regular expressions, use the fail2ban-regex command:

sudo fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/custom-filter.conf

If the test shows that your regular expression does not match any lines in the log file, review the filter and adjust the regular expression as needed.

Missing or incorrect action:

Verify that the action directive in your custom jail configuration is correct and refers to an existing action. The action defines how Fail2Ban should ban the offending IP addresses. Some common actions are iptables-multiport, iptables-allports, and iptables[name=<name>, port=<port(s)>, protocol=<protocol>].

Example (for protecting Joomla with Nginx):

[joomla-login-custom]
enabled = true
filter = joomla-auth
logpath = /var/log/nginx/access.log
...
action = iptables-multiport[name=joomla, port="http,https", protocol=tcp]

Errors in jail.local or jail.conf:

When making changes to jail.local or jail.conf, ensure that there are no syntax errors or misplaced configuration directives. Errors in these files can cause Fail2Ban to fail during startup or not process custom jails correctly.

To check for errors, you can use the fail2ban-client command:

sudo fail2ban-client -d

Conclusion

Fail2Ban is a powerful security tool that can significantly reduce the risk of brute-force attacks and other security threats. By creating custom jails tailored to your server’s specific needs, you can enhance the protection of your applications and services. The 20 example configurations provided here should help you understand how to create and adapt custom jails to your environment.

Additional Resources and Relevant Links

  1. Fail2Ban Wiki on GitHub:

The Fail2Ban Wiki on GitHub is a valuable resource for understanding Fail2Ban’s features and usage. It provides extensive information on various aspects of Fail2Ban, such as installation, configuration, and integration with different applications and services.

https://github.com/fail2ban/fail2ban/wiki

  1. Fail2Ban filters repository:

The Fail2Ban filters repository on GitHub contains numerous filters for various services and applications. You can use these filters to create custom jails or modify existing filters to suit your needs.

https://github.com/fail2ban/fail2ban/tree/master/config/filter.d

Your Mastodon Instance
Share to...