Fail2Ban Brute Force Protection

What is Fail2Ban?

Fail2Ban is an active firewall that dynamically blocks traffic by source IP address in response to suspected malicious activity.

It works by identifying patterns within your server log files, for example corresponding to repeated login failures or other forms of suspicious activity. Once an attack is identified the offending IP is blocked by the firewall;  first temporarily and then, if repeated, permanently.

Brute force attacks are attacks that try to get access to your server (email account, WordPress admin, SSH etc.) by attempting to guess your password: trying multiple random or well known passwords in the hope they’ll stumble into the correct answer.

Repeated failed login attempts for WordPress, Plesk Panel, Email or other services will be treated by Fail2Ban as a suspected brute force attack.

Fail2Ban is particularly powerful compared to a normal stateless firewall because Fail2Ban is reactive to unknown threats (i.e. you don’t know which source IP addresses are malicious in advance), and can be deployed in places where the trusted source IP addresses cannot be defined (i.e. you don’t know who will visit your website, or from which IP address, in advance, so you need to keep it open and accessible to the entire world – only blocking out those who prove themselves untrustworthy).

Managing Fail2Ban

Fail2Ban in Plesk

Go to Plesk Control Panel -> Tools and Settings -> IP Address Banning (Fail2Ban)

Plesk Control Panel

Banned IP tab

This lists IP addresses that are currently blocked, and allows you to individually unblock them (Unban), or select IPs that should be considered as safe / non-malicious (Move to Trusted IPs).

To find the IP you’re using you can use tools like this, and in case you can’t access Plesk because of the ban you will have to use a different IP to connect (or contact support for assistance).

If an IP address is exhibiting malicious behaviour (e.g. repeated failed login attempts), ‘Unban’ will only provide a temporary fix until it is banned again. In such cases it’s advisable to identify and solve the root cause by inspecting the logs.

 

Trusted IP tab

IP addresses listed here will never be blocked by Fai2Ban, regardless of their actions.

You can also add IP ranges for example 192.158.1.0/24, this way it will ignore all IP from the 192.158.1.1 to 192.158.1.254.

Contact ISP for range of IP that the user can be obtained.

Advanced

The 3 remaining tabs are more ‘advanced’ and allow you to fine-tune the way Fail2Ban works or require a bit more ‘hands on’ knowledge.

Settings tab

From this tab you can manage how long a ban will last (ban period) and how many Jail triggers are required for an IP to become banned.

Some actions may create log entries in multiple logs that Fai2Ban monitors and activate multiple jail triggers for one incident.

 

Logs tab

You can check the Fail2Ban log right from within Plesk to ascertain why an IP was banned.

Jails tab

Fail2ban works on a pattern recognition that is build out of regex rules, that are set to monitor logs for pattern matches and when enough matches occur you an automated actions occur.

This actions are packaged into Jails.

Building Regex.

To create a custom filter that will be used by jail go to Mange Filters -> add Filter.

Select the log entry that you want to filter and write a regex that matches the exact sequence and the regex sequence must contain “<HOST>” keyword that will identifies the IP that will be banned.

For example, let’s take a generic file “donttouch.this” and let’s say you want users to access it in certain condition but don’t want the user to access the file directly. Thus when accessing the file directly we get the following log entry.

 192.168.0.1 - - [21/Jan/2099:12:12:12 +0000] "GET /donttouch.this HTTP/1.0" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"

As a human readable way this can be translated to   HOST; - - [DATE] “GET /donttouch.this HTTP/1.0" <HTTP STATUS CODE> <size>” - “other data” where the simplest way to match this string is using <HOST>.*donttouch.this .*200 regex.

The regex above can give false positive if for example the size is 200. The more elements you add to the regex the more unlikely the chance of false positive

 You can test your regex using online tools like this where you add the log entries you want to filter and use regex for match match. Note that you will have to remove the “<HOST>” fort his test.
As an alternative test you can login into the server using SSH and use the build in Fail2Ban test function and run this command fail2ban-regex -v full/path/to/log '^.*/donttouch.this .*200'  

The variables [Definition], failregex and ignoreregex are mandatory to have a valid regex filter to use in a Fail2Ban Jail.

And putting it all together we get the following filter to use in a custom Jail.

[Definition]
failregex = ^<HOST>.*/donttouch.this .*200
ignoreregex = 

 

Building Jail

Building the Jail is straight forward.

• Add an unique name of the jail.
• Add existing filter or custom filter.
• Use existing actions by selecting it from the list and adding it. Bellow is the list of available actions in Plesk and how to customize them.
  • iptables -ban via iptables firewall, on a single port

    •  iptables[chain="INPUT", name="name_of_iptables_block_chain", port=”Port_nr”, protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="<span style="font-weight: 400;">iptables <lockingopt></span>"]

      • Ban IP on a single port
  • iptables-allports – ban via iptables firewall, on all ports

    •  iptables-allports[chain="INPUT", name="name_of_block_chain", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="<span style="font-weight: 400;">iptables <lockingopt></span>"]

      • Band IP on all ports

• • iptables-multiport – ban via iptables firewall, on multiple ports

    •  iptables-multiport[chain="INPUT", name="name_of_iptables_block__chain", port="port1,port2,port3", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="<span style="font-weight: 400;">iptables <lockingopt></span>"]

      • Ban IP on select ports
  • sendmail – send email notification via sendmail

    •  sendmail[dest="your@email.address", sender="fail2ban", sendername="Fail2Ban", name="name_of_iptables_block_chain"]

      • Send email with start/stop jail and what IP is banned
  • Sendmail-common

    •  sendmail-common[dest="root", sender="fail2ban", sendername="Fail2Ban"]

• Add full path to the log or logs. You can specify any number of logs and on our Plesk server and you can find them in /var/www/vhost/domain name/logs/logname. Note that you can also specify custom application logs.
• Ban time
• Number of pastern matches before it bans the IP specified by <HOST>