Fail2ban is a popular Linux program that scans log files for suspicious activity and updates the firewall to block offending IP addresses. By default, Fail2ban should protect against brute force ssh password attacks, which is a very important precaution for ssh accessible servers. Installing Fail2ban on Ubuntu Server 14.04 LTS should be as easy as typing "sudo apt-get install fail2ban" but there are several other steps which must be completed.

While testing one of my Ubuntu servers, I noticed that Fail2ban wasn't blocking my bad ssh password attempts. I did some digging, and it turns out that there are actually two settings causing this issue. The first setting has to do with how the fail2ban service expects system logs to be formatted, and the second is related to how repeated events are reported in the logs by rsyslog.

To fix these issues, run the following commands:

sudo cp -n /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo cp -n /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local
sudo sed -i '/^__bsd_syslog_verbose.*/c\__bsd_syslog_verbose = (<[^.]+ [^.]+>)' /etc/fail2ban/filter.d/common.local
sudo sed -i '/^RepeatedMsgReduction.*/c\RepeatedMsgReduction off' /etc/rsyslog.conf
sudo service rsyslog restart
sudo service fail2ban restart

The first two lines make local copies of the configuration files so that the fixes and any customizations you wish to make will not be overwritten by updates.

The next two lines use the sed command to find the settings that need to be changed and replace those lines with the correct settings. Fail2ban expects the log dates to be in YYYY.MM.DD format, but rsyslog on Ubuntu saves the dates as MMM DD. Additionally, rsyslog reduces repeated messages to a single message by default, which prevents Fail2ban from recognizing brute force attacks. In reality, the problems are caused by a nonstandard implementation of rsyslog rather than a problem with fail2ban.

The final two lines restart the services in question. After completing these steps, Fail2ban should protect your server as expected.

Loading Conversation