FOCUS MODE
EXTRACT IOC
Cyber Security News

Fail2Ban: Ban hosts that cause multiple authentication errors – Help Net Security

Cyware

Summary: This content discusses the features of Fail2Ban, an open-source tool that monitors log files and blocks IP addresses that exhibit repeated failed login attempts.

Threat Actor: N/A

Victim: N/A

Key Point :

  • Fail2Ban is a versatile tool that can block common attacks using community-driven filters with minimal configuration.
  • It can also serve as a complex IDS/IPS system to detect and block application or system-specific attack vectors.
  • Fail2Ban can monitor log files and systemd journal, and with custom backends, it can detect failures from other sources.
  • The tool allows for fully configurable regexps to capture information from logs or journals and supply it to the action, enabling the banning of not only IPs but also users.

Fail2Ban is an open-source tool that monitors log files, such as /var/log/auth.log, and blocks IP addresses that exhibit repeated failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses for a configurable amount of time.

ban hosts

Fail2Ban features

“Fail2Ban is a versatile and effective tool. It can block common attacks using community-driven filters with minimal configuration. Additionally, it can serve as a complex IDS/IPS system to meet specific administrative needs, such as detecting and blocking application or system-specific attack vectors,” Sergey Brester, the developer of Fail2Ban, told Help Net Security.

The main features are:

  • Monitoring logfile and systemd journal (and with custom backends, written in Python, it would be able to detect failures from other sources)
  • Fully configurable regexps allow to capture info from log or journal and supply it to the action, so it is possible to ban not only IPs, but also users, sessions, or a combination of them
  • Incremental banning
  • IPv6 support
  • Dynamic configuration allows simple creation of distribution-related config files for the maintainers and users. For instance, usage of parameters like mode for the fine adjustment (e. g. detect only authentication failures or ban more aggressively by any attempt)

Future plans and download

Brester told us that future development priorities include:

  • Full support for subnets (automatically banning a subnet with configurable burst and threshold if several attempts occur from IPs of the same subnet)
  • Geo- and whois-based factorization of the failures (e.g., IPs of some countries may be banned faster and longer, combined to larger subnets, etc.)
  • Fail2Ban network (synchronization of events like attempts and bans across the hosts to protect whole networks)
  • Speed-up of banning with introducing of bulk-ban mechanisms
  • Better support of containers (Docker, Kubernetes, etc.)

Fail2Ban is available for free on GitHub.

Must read:


Source: https://www.helpnetsecurity.com/2024/05/24/fail2ban-ban-hosts-authentication-errors

“An interesting youtube video that may be related to the article above”

Views: 0

Tags: TOOL, FIREWALL, MONITOR