Fail2ban Security Configuration

Fail2ban Security Configuration

Overview

Fail2ban provides automated intrusion prevention by monitoring log files and temporarily blocking IP addresses that exhibit suspicious behavior patterns.

Core Configuration

Default Settings

  • Ban Duration: 1 hour (3600 seconds) standard
  • Detection Window: 10 minutes (600 seconds)
  • Failure Threshold: 3 attempts before ban
  • Backend: Automatic detection of optimal log parsing method

Network Exclusions

Trusted networks bypassing fail2ban protection:

  • Loopback: 127.0.0.1/8
  • Main LAN: 192.168.76.0/24
  • Guest VLAN: 192.168.77.0/24

Active Protection Jails

SSH Protection

Primary security focus with enhanced protection:

  • Custom SSH port 24442 monitoring
  • 2-hour ban duration for SSH attacks
  • 5-minute detection window for rapid response
  • Authentication log monitoring

Recidive Jail

Repeat offender management for persistent attackers:

  • 7-day ban duration for repeat violations
  • 24-hour detection window for pattern analysis
  • 5-failure threshold before extended ban
  • All-ports blocking for comprehensive protection

DNS Security

BIND9 attack prevention:

  • Domain and control port monitoring (53, 953)
  • Query refusal pattern detection
  • 30-minute ban for DNS abuse
  • Security log analysis for attack patterns

System Authentication

PAM-based login protection:

  • Generic authentication failure monitoring
  • System-wide login attempt tracking
  • All-ports blocking for compromised attempts
  • System log integration

Planned Protection Services

DNS filter Admin Interface

Ready for activation with custom filter:

  • Web interface brute-force protection
  • HTTP/HTTPS port monitoring
  • 1-hour ban duration
  • Admin panel access control

Tor Network Protection

Flood protection for Tor services:

  • Notice log monitoring for abuse patterns
  • 10-attempt threshold for legitimate usage
  • 30-minute ban for flood mitigation
  • Tor-specific attack pattern recognition

Action Framework

Blocking Method

Primary action uses iptables-multiport for efficient blocking:

  • TCP protocol focus for most services
  • INPUT chain filtering for incoming connections
  • Multi-port support for service-specific blocking
  • All-ports blocking for severe violations

Logging and Monitoring

  • Automatic encoding detection for international attacks
  • DNS warning mode for performance optimization
  • Fail2ban self-monitoring for recursive protection
  • Email notification capability (requires MTA configuration)

Security Benefits

  1. Automated Response: Immediate reaction to attack patterns
  2. Escalating Penalties: Longer bans for repeat offenders
  3. Service-Specific Protection: Tailored filters for each service
  4. Network Awareness: Trusted network exemptions
  5. Pattern Recognition: Advanced attack signature detection

Performance Considerations

Efficiency Optimizations

  • Backend auto-selection for optimal log parsing
  • DNS resolution warnings prevent lookup delays
  • Automatic encoding detection reduces processing overhead
  • Selective service monitoring minimizes resource usage

Resource Management

  • Log file monitoring without excessive disk I/O
  • Memory-efficient pattern matching
  • Minimal iptables rule creation
  • Automatic cleanup of expired bans

Integration Points

System Services

  • SSH daemon: Custom port monitoring
  • BIND9: DNS security integration
  • PAM system: Authentication monitoring
  • DNS filter: Web interface protection
  • Tor: Network flood prevention

Logging Infrastructure

  • Auth.log: Authentication attempt monitoring
  • Security.log: DNS security events
  • Pihole.log: Web interface access patterns
  • Tor notices.log: Network abuse detection

Operational Management

Configuration Files

  • jail.local: Custom jail definitions and overrides
  • filter.d/: Service-specific pattern filters
  • action.d/: Response action definitions
  • paths-debian.conf: System-specific log paths

Monitoring Commands

Regular monitoring ensures proper operation and provides attack visibility.

Maintenance Tasks

  • Regular review of banned IP addresses
  • Log file rotation and cleanup
  • Filter pattern updates for new attack types
  • Performance monitoring and optimization
  • Email notification system configuration
  • Iptables firewall rules
  • SSH daemon hardening
  • DNS security configuration
  • System authentication policies
  • Network monitoring and alerting
ON THIS PAGE
Overview
Core Configuration
Active Protection Jails
Planned Protection Services
Action Framework
Security Benefits
Performance Considerations
Integration Points
Operational Management
Maintenance Tasks
Related Security Services