I.T. Security and Linux Administration

Nov 30 2012   6:19PM GMT

Proper Firewall Management: Part 1 – Introduction To fail2ban

Eric Hansen Eric Hansen Profile: Eric Hansen

As a short series, I will be showcasing some firewall tips and tricks on what to (not) do if you want to secure your network.  The first of which is going to be an overview for a very helpful log analyzer, fail2ban.  There’s other programs out there, such as logwatch, that monitor logs and ensure nothing ‘illegal’ is occurring.  However, fail2ban is the most well known one that will also act on such findings.  To me, it is the IDS of logs.

fail2ban works based on configuration files that specify what program ID (i.e.: http, pop3) it’s parsing for, and then another file that specifies the rules that match restricted content.  This also makes fail2ban optimal for those looking to use your mail server for relaying, SSH for proxying or flooding your server with malformed HTTP requests.  Essentially all you do is throw in the rule(s) you want matched, and fail2ban will match the regex expression with data in logs.  If anything is found, it will then add the offending IP to iptables for a given period of time.

fail2ban is also useful for overseeing the network and handling of Snort logs to automatically restrict offending IPs without having to parse through each Snort log yourself.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: