Fail2Ban is a security application that can block malicious connection attempts.
Connecting a server to the Internet exposes it to all manner of dangers. A server is a neat package of network connectivity, compute resources, and storage space. And that’s before we consider the applications running on the server, which can provide a rich stream of users and their associated data.
This is all very enticing to hackers and online criminals, who’d love nothing better than to hack your server and use it to infect your users with malware, send spam to hundreds of thousands of web users, or recruit another botnet node.
That’s why every server with a publically accessible IP address is bombarded with probes, port scans, and login attempts. Hackers build automated systems to trawl the net looking for vulnerabilities. The simplest of these are brute-force bots that look for services running on known ports and try to guess the right authentication credentials.
In the worst case, the attacker is able to guess the password and compromise the server. In the best case, the server’s users have passwords strong enough to defeat brute force attacks. A moderately long and complex password should take far too long for a hacker to crack by guessing.
In either case, the repeated login attempts are annoying and disruptive. Every login attempt consumes bandwidth and other server resources, so server admins would rather spot such attacks early and simply ignore any future attempts from the same source.
Every time an external server tries to connect to your server, a log is generated. The log contains lots of information about the connection, including whether or not the connection was successful and the IP address of the connecting server. Malicious connections leave a tell-tale signature. If an IP tries to connect to your server a hundred times in a couple of minutes and enters the wrong credentials every time, it’s a big clue that something untoward is occurring.
Fail2ban runs on a server and monitors its logs, looking for signs like this. I’ve only described the simplest of malicious connection signatures, but fail2ban is quite intelligent when it comes to discovering wrongdoing.
When fail2ban decides that an IP is engaged in malicious activity, it can add a firewall rule to drop all further connection attempts from that IP. Fail2ban is flexible and configurable, so users can alter the banning criteria. If you have users who frequently mistype their passwords, you can set fail2ban to block them if they enter the wrong password five times in a row, but let them try again after ten minutes.
It’s important to note that fail2ban is just a small part of a full server security program. It’s not a replacement for using secure passwords or hardening the server by limiting the number of exposed services. Nevertheless, if your server is plagued by automated bots, fail2ban is a great tool for limiting the impact.