Cybsersecurity stepped up with fail2ban: How-to Persistent IPs

So since I have setup this site, I am noticing these messages, with a plethora of variants. However, what is common among most of them is they are requesting pages that are reserved for users with higher authority. Therefore, can be said as a prelude to hacking attempts. Not only they are annoying, but they can make you paranoid since you might think, that with all the semi-brute force attacks they are doing they can eventually succeed.

Logged malicious events

Details of a malicious event that was logged

Another malicious event's details

Fortunately, I found out about a Linux utility called fail2ban. Actually, it was recommended in a guide of DigitalOcean's for the starter users of their hosting service but as I'm one of those geeks/techies that are eager to get my hands dirty, I skipped it. 

Fail2ban is a daemon mostly written in Python. It monitors the log files ( SSH Access log, Apache access and error logs ) for messages and/or request headers which it then compares against the regular expressions determined beforehand. If it finds out that a rule is matched, the typical action is triggered. This is the banning of the IP address from reaching your site within some pre-defined time that you assign as you wish.

Their official site also goes on to say:

Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Installation is fairly easy. If you have an identical server setup, especially with the operating system, you can get also follow these steps from outlined by DigitalOcean.

Aside from the provided "jails", I also added this one (for malicious bots) and this one too,  Though somewhat redundant, I substituted the default regex of php-url-fopen jail with this:

failregex = ^<HOST> -.*(((GET|POST|CONNECT)\s+(http\:\/\/))|azenv\.php|manager\/html|mail2000\.com\.tw\:25|proxyres\.php|proxy|render\/.*\.jsp|scripts\/.*\.php|rom\-|proxies|phpTest).*$


Make sure to add the corresponding configuration stanzas at /etc/fail2ban/jail.conf . You can take cues from the given stanzas like [ssh] on how to do it. It's that simple, trust me! ;)

Afteer restarting the fail2ban service,

sudo service fail2ban restart

you're all set.

However, when you restart the fail2ban service or your server the blocked IP addresses are removed from iptables' blacklist thus those IP addresses can still once again chance upon wreaking havoc on your site. With that, I followed the instructions here with slight variations as can be described below.

First, before following any of those in the guide and to begin with, save your current iptables configuration according to instructions here. You can also restore it afterwards as stated there.

Now, let's make a dedicated folder for the record of my blacklists. I named it "persistent_blacklist":

sudo mkdir /etc/fail2ban/persistent_blacklist

Then, create a file for each of your jails. You can get your jails via this command:

fail2ban-client status<br>Status<br>|- Number of jail: &nbsp; &nbsp; &nbsp;7<br>`- Jail list: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; php-url-fopen, apache-403, apache-nokiddies, ssh, apache-404, apache-badbots, apache-nokiddies2

Then make a blacklist file for each jail. For example, for jail php-url-fopen :

sudo mkdir /etc/fail2ban/persistent_blacklist/php-url-fopen&nbsp;

Now, for the variation with the guide:

1)   For actionban, instead of  

echo &lt;ip&gt; &gt;&gt; /etc/fail2ban/ip.blacklist

   I entered:

echo &lt;ip&gt; &gt;&gt; /etc/fail2ban/ip.<span style="color:#FF0000"><strong>&lt;name&gt;.</strong></span>blacklist


2) For actionstart, instead of 

actionstart = iptables -N fail2ban-&lt;name&gt;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; iptables -A fail2ban-&lt;name&gt; -j RETURN<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; iptables -I INPUT -p &lt;protocol&gt; -m multiport --dports &lt;port&gt; -j fail2ban-&lt;name&gt;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-&lt;name&gt; 1 -s $IP -j DROP; done

  I made sure this is what's in the  /etc/fail2ban/action.d/iptables-multiport.conf&nbsp; or the equivalent local file.

actionstart = iptables -N fail2ban-&lt;name&gt;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; iptables -A fail2ban-&lt;name&gt; -j RETURN<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; iptables -I INPUT -p &lt;protocol&gt; -m multiport --dports &lt;port&gt; -j fail2ban-&lt;name&gt;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cat /etc/fail2ban/ip.<span style="color:#FF0000"><strong>&lt;name&gt;.</strong></span>blacklist | while read IP; do iptables -A fail2ban-&lt;name&gt; 1 -s $IP -j DROP; done

So basically, you classify the IP addresses via their own jails. Well, there would be times that an IP address can be present in two jails or more, but that's okay. Still, their packets are dropped and all what they can see from their side is connection timeout after triggering fail2ban's response to their malicious deeds.

And restart fail2ban via 

sudo service fail2ban restart

Then restore your iptables settings earlier.