Novice question: Limiting number of combo attempts with Fail2ban and 128 bits of entropy

Apps such as Fail2ban and DenyHosts enable unix administrators to limit username/password combo attempts to typically 3 attempts. But why 3? Some admins enable more, like 6 or 8 giving honest users a little more slack when making different attempts at a password they may not recall exactly. But why not 18? Or even 30?

If a sophisticated cracker wanted to brute force a combo with a scheme involving 128 bits of entropy, s/he would need to make trillions of attempts a second. So if an admin limited the total number of attempts to 100 using Fail2ban, wouldn’t the authentication system still be secure and robust, as long as the admin sets up their username/password scheme to require 128 bits of entropy?

Fail2ban: Ban ip on all ports exept HTTP[S] (or group of ports)

My server currrently has very strict fail2ban rules, which permanently and persistently ban any ip that fails to login once on all ports. This might seem overkill, but most ports are “private” ports (meaning only I should access them).

Since my server runs a public website, ips should not be banned on HTTP & HTTPS, I also have setup an web interface to unban my ip, in case I lock myself out, which I then need to be able to access.

I don’t have much expirence with firewalls & iptables and am currently using action.d/iptables-allports.conf with persistent bans.

How can I configure an action to ban the ip on all ports except for “public ports” or ban the ip on all “private ports” (given a static list of public / private ports)?

Thanks in advance. -Minding

fail2ban ignored daily log files

I’m using fail2ban to detect and ban irregular users. This works more or less well, but has one issue with Exim which writes daily log files on my system: The new log file of the next day is simply ignored. Here’s my config file:

[exim] enabled = true filter = exim failregex = \[<HOST>\]: 535 Incorrect authentication data             \[<HOST>\] .* rejected RCPT <.*>: Unknown user$               \[<HOST>\] .* rejected after DATA: This message scored [0-9.]+ spam points\.$               \[<HOST>\] sender verify fail for <.*>: Unrouteable address$               \[<HOST>\] .* rejected RCPT <.*>: relay not permitted$   action = iptables-multiport[name=exim,port="25,465,587"] logpath = /var/log/exim4/main-*.log 

Today I found the program to only watch yesterday’s file, with no current bans. I found a number of matching patterns in today’s log file. After restarting fail2ban, there were 3 bans active.

The log files are:

  • /var/log/exim4/main-20190601.log
  • /var/log/exim4/main-20190602.log
  • /var/log/exim4/main-20190603.log
  • etc.

So the * pattern for logpath clearly isn’t very dynamic. I’m wondering what it’s good for at all.

Is there any solution to make fail2ban always use today’s file?

I’m thinking about restarting the service every night. But it probably only comes up correctly if today’s log file was already created, i.e. if any e-mail was processed already. Should I delay the restart by a few minutes? The system would be more “vulnerable” during this delay time.

All in all my impression of fail2ban isn’t very good. It just doesn’t seem to be very mature or practical or well-thought. But I couldn’t find any alternatives that make a better impression. Most of these tools are outdated and have no community.

This is Fail2Ban v0.9.3 of Ubuntu 16.04.

Is a server secure with fail2ban?

I am currently using fail2ban for SSH only, and im unsure if it’s safe in it’s current configuration: (Running CentOS 7)

bantime = 900
maxretry = 3
banaction = iptables-allports
enabled = true

I only have Port 22, 80 and 9987 open. (for SSH,HTTP and Teamspeak) Every other port is protected via a HW-Firewall. SSH can only be accessed by a single user (password authentication), root login is not allowed.

Is there anything obvious that I missed to add to my configuration? I somehow get a lot of failed logins and break-in attempts, should I be worried?
If I set the amount of ssh attempts for login to the same number as my fail2ban maxretry, will they still get banned after 3 wrong logins?
If I set my default SSH port to (for example) 2938, what do I have to change in my jail.local file? (Is it even a good idea to change the default SSH port?)

rabbitmq access denied loggin to fail2ban

Im using rabbitmq with rabbitmq_management. if user input wrong login/pass in web panel, at /var/log/rabbitmq/rabbit.log I have logs like this:

=WARNING REPORT==== 17-May-2019::06:58:56 === HTTP access denied: user 'rabbituser89' - invalid credentials 

I want to setup fail2ban for this events, but there is no IP address of user. Any variant to add ip to this log? Maybe any variant to setup my custom logs on this event, with ip?

Using fail2ban for detecting suspicious activity whitin a webserver

I know that fail2ban is mostly used for blocking IPs trying to brute force an SSH endpoint and other stuff like that.

However, I am wondering if you could also use fail2ban to detect (not necessarily prevent) suspicious activity within a webserver.

For example: Let’s say an attacker managed to break into a webserver as a non-privileged account (by whatever means: be it a Remote Code Execution flaw in the web application, brute-forcing a password or even a vulnerability in the Operating System). The attacker is now able to run commands on that machine. One of the things an attacker might now try to do is to somehow conduct a privilege escalation attack to gain root access. I guess that most attacks like that and other activities and intruder will normally do within a webserver would cause some traces within the log files – which could be monitored and admins could be warned via email or something like that.

If this is the case: Does it make sense to use fail2ban for this task?

If yes: How do you do that? Which log files should be watches for what kind of regex? Are there ready-to-use fail2ban jails for that somewhere on the web? (Couldn’t find any.)

The webserver I’m talking about is of “midlevel importance” I’d say and runs with Ubuntu 18.04.

(I know there are many tools or Intrusion Detection Systems better suitable for that task. However, using fail2ban would have some advantages in my case.)

Configuring Fail2ban for the r4032login module

Recently, I installed fail2ban on my server to help prevent bots from abusing the site.

I have the r4032login module installed and it is writing to the log, but it is using HTTP status 302 for the redirect to the login page.

I’m wondering what would be the easiest way to have fail2ban work alongside the r4032login.

Here is a sample log entry:

ddd.ddd.ddd.ddd - - [12/May/2019:14:46:26 -0400] "GET /node/1/edit HTTP/1.1" 302 4305 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"

Config regex for fail2ban to catch pregreeters in mail.log

The lines to match are like:

May 6 10:06:16 mikes-serverbox postfix/postscreen[15486]: PREGREET 14 after 0.1 from []:57130: EHLO ylmf-pc\r\n

May 9 11:36:36 mikes-serverbox postfix/postscreen[14463]: PREGREET 26 after 0 from []:49432: EHLO\r\n

When i check the regex with fail2ban-regex, it correctly matches plenty of lines.

fail2ban-regex /var/log/mail.log "^.*PREGREET \d{1,3} after \d+(\.\d{1,2})? from \[<HOST>\]" 

When i check the conf file where there is the same regex with fail2ban-regex, it matches only 3 lines for this regex “^RCPT from [^[]*[]%(_port)s: 55[04] 5.7.1\s” and none for the regex i had written.

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf 

The relevant section of postfix.conf is:

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$   mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+) mdre-normal = ^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s               ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)               ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b               ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b               ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s               ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b               ^from [^[]*\[<HOST>\]%(_port)s:?               ^NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.5\.2 .*$                 ^.*PREGREET \d{1,3} after \d+(\.\d{1,2})? from \[<HOST>\]               ^NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$                 ^NOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$                 ^improper command pipelining after \S+ from [^[]*\[<HOST>\]:?$                 ^NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.* 

What would be the correct regex for fail2ban.conf to match the above mentioned lines in mail.conf?