Centralize Fail2Ban - Part 1

collect server attack IP for a centralized fail2ban Warding potential server attacks with a centralized Fail2Ban

Fail2ban is a great tool to detect potential attacks on servers and block the recognized IP over all important services. Unfortunately, fail2ban is only designed to run on a server. It protects only the server on which it is running. But if there are multiple servers, you will quickly discover that the same IP soon shakes the "doors" of the other servers. With a few simple steps you can make fail2ban able to share the discovered IP's with other systems, so that they can isolate themselves also. Another way to hedge would also be the push the fail2ban detected IP's on a parent router or switch. In the first part of the HowTo, we write the IP of an attacker in a MySql database so that other systems can access this database. There are, of course, many ways to share these data with other systems than through a database. As always, the sky is no limits.

System Requirements

This HowTo assumes that fail2ban, iptables, mysql and php is installed functional on the system.
On Ubuntu, you can quickly do:

root@devserv3:~# sudo apt-get install php5 mysql-server fail2ban iptables

Next, we have to create a database in MySql, the database called "fail2ban". In this database, a table is created:

  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `hostname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `created` datetime NOT NULL,
  `name` text COLLATE utf8_unicode_ci NOT NULL,
  `protocol` varchar(16) COLLATE utf8_unicode_ci NOT NULL,
  `port` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
  `ip` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`),
  KEY `hostname` (`hostname`,`ip`)

PHP script for passing the fail2ban IP

Now comes a small PHP script to use, which will accept the IP address, port, protocol, and the fail2ban Jailnamen and writes to the MySQL database.
The PHP script is created in the directory: /root and we make it executable. In addition, read permissions should be revoked for unauthorized persons!

root@devserv3:~# cd /root && touch fail2ban.php && chmod +x fail2ban.php

fail2ban.php is filled with the following content:

#!/usr/bin/php -n
$name = $_SERVER["argv"][1];
$protocol = $_SERVER["argv"][2];
$port = $_SERVER["argv"][3];
if (!preg_match('/^\d{1,5}$/', $port))
    $port = getservbyname($_SERVER["argv"][3], $protocol);
$ip = $_SERVER["argv"][4];

$hostname = gethostname();

// connect to mysql by hostname, username and password
$link = mysql_connect('devserv3', 'fail2ban', 'password') or die('Could not connect: ' . mysql_error());
mysql_select_db('fail2ban') or die('Could not select database');
$query = 'INSERT INTO `fail2ban` set hostname="' . addslashes($hostname) . '", name="' . addslashes($name) . '", protocol="' . addslashes($protocol) . '", port="' . addslashes($port) . '", ip="' . addslashes($ip) . '", created=NOW()';
$result = mysql_query($query) or die('Query failed: ' . mysql_error());

Now you can test the script and check if datas in database arrive.

root@devserv3:~# ./fail2ban.php jailname ssh 22

Fail2ban IP store in MySql Database

Connection to Fail2Ban

If the script works we can create the connection to Fail2Ban.
To do this, change to the fail2ban configuration directory.

root@devserv3:~# cd /etc/fail2ban/ && ls -al
total 28
drwxr-xr-x  4 root root 4096 Feb 13 14:56 .
drwxr-xr-x 97 root root 4096 Feb 13 15:28 ..
drwxr-xr-x  2 root root 4096 Feb 13 14:56 action.d
-rw-r--r--  1 root root  853 Nov 29  2011 fail2ban.conf
drwxr-xr-x  2 root root 4096 Feb 13 14:56 filter.d
-rw-r--r--  1 root root 7346 Jun 18  2013 jail.conf

In the files jail.conf and jail.local (must not be present), the jails and the banaction are defined.
Here once the example from Jail "pam-generic".

enabled  = true
filter   = pam-generic
port     = all
banaction = iptables-multiport
logpath  = /var/log/auth.log

The line with the banaction sets with which action the IP to be treated.
If no banaction at Jail specified, the default banaction is used. This is defined in the same file, in the [DEFAULT]. In general, the action is the iptables-multiport.
In the action folder "action.d" the file iptables multiport.conf should be found.
This file is now extended that, when a IP is banned then also our PHP script is called. Calling all parameters such as IP, port, etc. are passed.
After the line with actionban = ..... a new row inserted to invoke the PHP script:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP /root/fail2ban.php <name> <protocol> <port> <ip>

Now fail2ban even have to be restarted. In the fail2ban logs can be checked whether there was an error.

root@devserv3:~# /etc/init.d/fail2ban restart
root@devserv3:~# cat /var/log/fail2ban.log

From now on, intrusions are detected and logged in the database.
In the second part of the HOWTO (coming soon) will be described how to distribute the IP addresses from the database on another server.

Continue to Part 2 - Read and lock Fail2ban IP from the DB

Status: 2015-10-15

Secure your Servers with our Cloud-IPS

Easily secure your servers with our smart IPS from the cloud.
Our Cloud-IPS software is very easy to install and can be configured from everywhere with a browser.
Stop server attacks before they happen and help other cloud users to keep their servers safe.

Increase your Server Security with our Cloud Based Intrusion Prevention!

  • Easy Setup at Client-Side check
  • Automated Updates check
  • Low System Load check
  • Manually Lock/Unlock of IP's check
  • Cloud-IPS location in Germany check
  • Detailed Statistics check
  • Private Whitelists check
  • SSL Encryption check
Intrusion Prevention

Get Free Account Now

With just a few clicks, you can secure up to 5 of your Servers for free and be protected immediately by our Cloud-IPS.

  • check 5 Servers for Free
  • check No Credit Card needed