Centralize Fail2Ban - Part 1

Warding potential server attacks with a centralized Fail2Ban

Fail2ban is a great tool to detect potential attacks on servers and block the recognized IP over all important services. Unfortunately, fail2ban is only designed to run on a server. It protects only the server on which it is running. But if there are multiple servers, you will quickly discover that the same IP soon shakes the "doors" of the other servers. With a few simple steps you can make fail2ban able to share the discovered IP's with other systems, so that they can isolate themselves also. Another way to hedge would also be the push the fail2ban detected IP's on a parent router or switch. In the first part of the HowTo, we write the IP of an attacker in a MySql database so that other systems can access this database. There are, of course, many ways to share these data with other systems than through a database. As always, the sky is no limits.

System Requirements

This HowTo assumes that fail2ban, iptables, mysql and php is installed functional on the system.
On Ubuntu, you can quickly do:

root@devserv3:~# sudo apt-get install php5 mysql-server fail2ban iptables
            

Next, we have to create a database in MySql, the database called "fail2ban". In this database, a table is created:

CREATE TABLE IF NOT EXISTS `fail2ban` (
  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `hostname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `created` datetime NOT NULL,
  `name` text COLLATE utf8_unicode_ci NOT NULL,
  `protocol` varchar(16) COLLATE utf8_unicode_ci NOT NULL,
  `port` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
  `ip` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`),
  KEY `hostname` (`hostname`,`ip`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
            

PHP script for passing the fail2ban IP

Now comes a small PHP script to use, which will accept the IP address, port, protocol, and the fail2ban Jailnamen and writes to the MySQL database.
The PHP script is created in the directory: /root and we make it executable. In addition, read permissions should be revoked for unauthorized persons!

root@devserv3:~# cd /root && touch fail2ban.php && chmod +x fail2ban.php
            

fail2ban.php is filled with the following content:

#!/usr/bin/php -n
<?php
$name = $_SERVER["argv"][1];
$protocol = $_SERVER["argv"][2];
$port = $_SERVER["argv"][3];
if (!preg_match('/^\d{1,5}$/', $port))
    $port = getservbyname($_SERVER["argv"][3], $protocol);
$ip = $_SERVER["argv"][4];

$hostname = gethostname();

// connect to mysql by hostname, username and password
$link = mysql_connect('devserv3', 'fail2ban', 'password') or die('Could not connect: ' . mysql_error());
mysql_select_db('fail2ban') or die('Could not select database');
$query = 'INSERT INTO `fail2ban` set hostname="' . addslashes($hostname) . '", name="' . addslashes($name) . '", protocol="' . addslashes($protocol) . '", port="' . addslashes($port) . '", ip="' . addslashes($ip) . '", created=NOW()';
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
mysql_close($link);
exit;
            

Now you can test the script and check if datas in database arrive.

root@devserv3:~# ./fail2ban.php jailname ssh 22 123.123.123.123
            

Connection to Fail2Ban

If the script works we can create the connection to Fail2Ban.
To do this, change to the fail2ban configuration directory.

root@devserv3:~# cd /etc/fail2ban/ && ls -al
total 28
drwxr-xr-x  4 root root 4096 Feb 13 14:56 .
drwxr-xr-x 97 root root 4096 Feb 13 15:28 ..
drwxr-xr-x  2 root root 4096 Feb 13 14:56 action.d
-rw-r--r--  1 root root  853 Nov 29  2011 fail2ban.conf
drwxr-xr-x  2 root root 4096 Feb 13 14:56 filter.d
-rw-r--r--  1 root root 7346 Jun 18  2013 jail.conf
root@devserv3:/etc/fail2ban#

In the files jail.conf and jail.local (must not be present), the jails and the banaction are defined.
Here once the example from Jail "pam-generic".

[pam-generic]
enabled  = true
filter   = pam-generic
port     = all
banaction = iptables-multiport
logpath  = /var/log/auth.log

The line with the banaction sets with which action the IP to be treated.
If no banaction at Jail specified, the default banaction is used. This is defined in the same file, in the [DEFAULT]. In general, the action is the iptables-multiport.
In the action folder "action.d" the file iptables multiport.conf should be found.
This file is now extended that, when a IP is banned then also our PHP script is called. Calling all parameters such as IP, port, etc. are passed.
After the line with actionban = ..... a new row inserted to invoke the PHP script:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP /root/fail2ban.php <name> <protocol> <port> <ip>

Now fail2ban even have to be restarted. In the fail2ban logs can be checked whether there was an error.

root@devserv3:~# /etc/init.d/fail2ban restart
root@devserv3:~# cat /var/log/fail2ban.log

From now on, intrusions are detected and logged in the database.
In the second part of the HOWTO (coming soon) will be described how to distribute the IP addresses from the database on another server.

Continue to Part 2 - Read and lock Fail2ban IP from the DB