Fail2ban is a popular tool for securing cloud applications from brute-force attacks. It works by monitoring log files, detecting multiple failed login attempts, and automatically banning the offending IPs. For detailed information about Fail2ban software, you are welcome to visit the project page on GitHub: https://github.com/fail2ban.
For cloud tenants in the European Weather Cloud (EWC), Fail2ban comes preconfigured on virtual machine (VM) images, ensuring that your application is protected from malicious attempts right from the start. In EWC, this is implemented as 5 consecutive failed attempts (maxretry = 5). It's worth mentioning that the ban is lifted after an hour (bantime = 1h).
Reviewing Banned IPs
Check Fail2ban Status
To get an overview of Fail2ban, including active jails (e.g., SSH):
sudo fail2ban-client status
Check the IPs Banned by a Specific Jail (e.g., SSH)
To see which IPs are banned under a specific jail like SSH:
sudo fail2ban-client status sshd
Managing Banned IPs
Unban an IP Address
If a legitimate IP is banned by mistake, you can manually unban it:
sudo fail2ban-client unban <IP_ADDRESS>
Then restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
Whitelisting IPs
Fail2ban allows you to whitelist trusted IP addresses, which will never be banned, even if they trigger alerts. This is particularly useful for known IPs, such as those used by employees or internal services.
Steps to Whitelist an IP:
Open the configuration file for the jail you want to modify (for example, SSH):
sudo nano /etc/fail2ban/jail.local
Find the jail configuration (e.g., [sshd]), and add the IPs you wish to whitelist under ignoreip. You can list multiple IPs separated by spaces:
[sshd] ignoreip = 192.168.1.1 203.0.113.50
Finally, restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
Whitelisting an IP Range
If your organization operates from a range of IPs, you can whitelist the entire range to avoid mistakenly banning legitimate users. Add the IP range in CIDR notation to the ignoreip directive:
ignoreip = 203.0.113.0/24
This command will whitelist all IPs in the range 203.0.113.0 to 203.0.113.255.
Firewall Configuration for Fail2ban on User VMs
In the European Weather Cloud (EWC), Fail2ban requires a firewall to be installed and properly configured on your virtual machines (VMs). Depending on the operating system of your VM, this will typically involve using UFW (for Ubuntu) or firewalld (for CentOS/Rocky Linux). Ensure that the necessary ports are open for Fail2ban to manage IP bans effectively.
Example for UFW (Ubuntu VMs):
Enable UFW if it’s not already enabled:
sudo ufw enable
Allow necessary ports (e.g., SSH):
sudo ufw allow ssh
Reload UFW to apply changes:
sudo ufw reload
Example for firewalld (CentOS/Rocky Linux VMs):
Start and enable firewalld:
sudo systemctl start firewalld sudo systemctl enable firewalld
Allow necessary ports (e.g., SSH):
sudo firewall-cmd --permanent --add-service=ssh
Reload firewalld to apply changes:
sudo firewall-cmd --reload
Creating Another Jail (Optional)
If you need to protect additional services besides SSH, you can create new jails in the Fail2ban configuration. For example, to create a jail for Apache, follow these steps:
Open Fail2ban Configuration:
sudo nano /etc/fail2ban/jail.local
Add a New Jail Section:
In the configuration file, add a new section for the service you wish to protect. For example, to add an Apache jail:[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 5 bantime = 1h
Restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban