Lead Image © bluebay, 123RF.com

A Password Protection Service

Fail2ban

Article from ADMIN 54/2019

By Ken Hess

Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks.

Several security measures do not protect your systems from compromise, including security by obscurity (i.e., changing ports), intrusion detection (after the fact monitoring and reporting), and poor password policies (allowing non-complex passwords). The better method for protecting your systems is to implement intrusion prevention measures. Fail2ban [1] is one such solution. It scans logs to check for attacks before they occur and blocks the offending host's access prior to any compromises or break-ins.

Malicious attackers know that passwords are the weakest link in the security chain. They also know that with enough time they can break even the best passwords. Rather than allowing attackers to make attempt after attempt, Fail2ban stops them on their first round of attempts. Any password-protected service such as SSH, FTP, IMAP, POP3, Sendmail, and others are susceptible to brute force and dictionary attacks, because username/password combinations are inherently weak protections.

Fail2ban allows you to set up intrusion prevention monitoring on any service port that uses username/password combinations for authentication. And while Fail2ban runs as a daemon, it does not expose any new listening network ports to which an outside attacker can attach. To disable it, an attacker would have to compromise the system before Fail2ban bans the offending host, which is unlikely in the case of a dictionary or brute force attack on an exposed port.

Installing Fail2ban

Fail2ban is available as a package for most distributions, so try that installation method before searching for source code and compile options. For example, on Red Hat-based systems, use: