Intrusion Detection and Fail2Ban
Chapter 34: Intrusion Detection and Fail2Ban
Section titled “Chapter 34: Intrusion Detection and Fail2Ban”Comprehensive Guide to Linux Intrusion Detection
Section titled “Comprehensive Guide to Linux Intrusion Detection”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Intrusion detection is essential for proactive security:
IDS for DevOps/SRE+------------------------------------------------------------------+| || Real-time Protection: || +----------------------------------------------------------+ || | Fail2Ban → Blocks brute force in real-time | || | OSSEC → Monitors file integrity, logs | || | RKHunter → Detects rootkits | || +----------------------------------------------------------+ || || Compliance & Forensics: || +----------------------------------------------------------+ || | AIDE → File integrity for compliance | || | Lynis → Security auditing | || | Audit logs → Evidence for investigations | || +----------------------------------------------------------+ || || Incident Response: || +----------------------------------------------------------+ || | IDS alerts → Early detection of compromises | || | File integrity → Detect post-breach changes | || | Log analysis → Understand attack vectors | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Practical Impact:
- Detect and block attacks automatically
- Meet compliance requirements (PCI-DSS requires IDS)
- Investigate security incidents with evidence
- Detect file tampering (malware, backdoors)
34.1 Understanding Intrusion Detection
Section titled “34.1 Understanding Intrusion Detection”Types of IDS/IPS
Section titled “Types of IDS/IPS” Intrusion Detection Systems+------------------------------------------------------------------+| || Network-based IDS (NIDS): || +----------------------------------------------------------+ || | • Monitors network traffic | || | • Examples: Snort, Suricata | || | • Passive monitoring | || +----------------------------------------------------------+ || || Host-based IDS (HIDS): || +----------------------------------------------------------+ || | • Monitors system activity | || | • Examples: OSSEC, AIDE | || | • File integrity, process monitoring | || +----------------------------------------------------------+ || || Intrusion Prevention System (IPS): || +----------------------------------------------------------+ || | • Active blocking of attacks | || | • Examples: Fail2Ban, Snort-inline | || +----------------------------------------------------------+ || || Detection Methods: || +----------------------------------------------------------+ || | Signature-based | Known attack patterns | || | Anomaly-based | Deviations from normal | || | Stateful | Protocol state analysis | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+34.2 Fail2Ban Configuration
Section titled “34.2 Fail2Ban Configuration”Installation and Setup
Section titled “Installation and Setup”# Installsudo apt install fail2ban # Debian/Ubuntusudo yum install fail2ban # RHEL/CentOSsudo pacman -S fail2ban # Arch
# Start servicesudo systemctl enable --now fail2ban
# Configuration file# /etc/fail2ban/jail.local (recommended)# /etc/fail2ban/jail.conf (default)jail.local Configuration
Section titled “jail.local Configuration”[DEFAULT]# Ban time (duration)bantime = 1h
# Time window for retriesfindtime = 10m
# Max retries before banmaxretry = 3
# Email notificationsdestemail = admin@example.comsender = fail2ban@example.comaction = %(action_mwl)s
# Whitelist (never ban)ignoreip = 127.0.0.1/8 10.0.0.0/8 192.168.0.0/16SSH Jail
Section titled “SSH Jail”[sshd]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 5bantime = 1hfindtime = 10maction = %(action_mwl)s
# Custom port[sshd-custom]enabled = trueport = 2222filter = sshdlogpath = /var/log/auth.logmaxretry = 3Web Server Jails
Section titled “Web Server Jails”# Nginx HTTP Auth[nginx-http-auth]enabled = trueport = http,httpsfilter = nginx-http-authlogpath = /var/log/nginx/error.logmaxretry = 5
# Nginx Bot Search[nginx-badrequests]enabled = trueport = http,httpsfilter = nginx-badrequestslogpath = /var/log/nginx/error.log
# Apache Auth[apache-auth]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/error.logmaxretry = 5
# Apache Badbots[apache-badbots]enabled = trueport = http,httpsfilter = apache-badbotslogpath = /var/log/apache2/error.logMail Server Jails
Section titled “Mail Server Jails”# Postfix[postfix]enabled = trueport = smtp,submission,imap3,imaps,pop3,pop3sfilter = postfixlogpath = /var/log/mail.log
# Dovecot[dovecot]enabled = trueport = smtp,submission,imap3,imaps,pop3,pop3sfilter = dovecotlogpath = /var/log/mail.log
# SASL[sasl]enabled = trueport = smtp,submission,imap3,imaps,pop3,pop3sfilter = sasllogpath = /var/log/mail.logmaxretry = 3Custom Jail Example
Section titled “Custom Jail Example”# Block repeated login attempts to API[api-rate-limit]enabled = trueport = http,httpsfilter = api-rate-limitlogpath = /var/log/api/access.logmaxretry = 10bantime = 30mfindtime = 1maction = %(action_mwl)s
# Create filter# /etc/fail2ban/filter.d/api-rate-limit.conf[Definition]failregex = ^<HOST> .* "POST /api/loginignoreregex =Fail2Ban Commands
Section titled “Fail2Ban Commands”# Statussudo fail2ban-client statussudo fail2ban-client status sshd
# Ban/Unbansudo fail2ban-client set sshd banip 1.2.3.4sudo fail2ban-client set sshd unbanip 1.2.3.4
# Reloadsudo fail2ban-client reloadsudo fail2ban-client reload sshd
# Check logstail -f /var/log/fail2ban.log
# Test filterfail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf34.3 OSSEC (Host-based IDS)
Section titled “34.3 OSSEC (Host-based IDS)”Installation
Section titled “Installation”# Installsudo apt install ossec-hids # Debian/Ubuntusudo yum install ossec-hids # RHEL/CentOSsudo pacman -S ossec-hids # Arch
# Configuresudo /var/ossec/bin/ossec-configureConfiguration
Section titled “Configuration”# Local rules# /var/ossec/rules/local_rules.xml
# Commands# View alertstail -f /var/ossec/logs/alerts/alerts.log
# Manage/var/ossec/bin/ossec-control start/var/ossec/bin/ossec-control stop/var/ossec/bin/ossec-control restart
# Client sync/var/ossec/bin/manage_agents34.4 AIDE (File Integrity)
Section titled “34.4 AIDE (File Integrity)”Installation
Section titled “Installation”# Installsudo apt install aide # Debian/Ubuntusudo yum install aide # RHEL/CentOSsudo pacman -S aide # ArchInitialization and Usage
Section titled “Initialization and Usage”# Initialize databasesudo aide --init
# Rename databasesudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Check integritysudo aide --check
# Update databasesudo aide --update
# Check specific filesudo aide --check /etc/passwd
# Daily check (cron)sudo crontab -e0 5 * * * /usr/bin/aide --checkConfiguration
Section titled “Configuration”# Database locationdatabase=file:/var/lib/aide/aide.dbdatabase_out=file:/var/lib/aide/aide.db.new
# Groups/etc/pam.d R/etc/passwd R/etc/shadow R/etc/group R/etc/sudoers R/var/log R/bin R/sbin R/usr/bin R/usr/sbin R/etc/cron R/etc/hosts R34.5 RKHunter (Rootkit Detection)
Section titled “34.5 RKHunter (Rootkit Detection)”Installation and Usage
Section titled “Installation and Usage”# Installsudo apt install rkhunter # Debian/Ubuntusudo yum install rkhunter # RHEL/CentOS
# Updatesudo rkhunter --update
# Check systemsudo rkhunter --checksudo rkhunter --check --sk
# Properties testsudo rkhunter --propupd34.6 Lynis (Security Auditing)
Section titled “34.6 Lynis (Security Auditing)”Installation and Usage
Section titled “Installation and Usage”# Installsudo apt install lynis # Debian/Ubuntusudo yum install lynis # RHEL/CentOSsudo pacman -S lynis # Arch
# Run auditsudo lynis audit systemsudo lynis audit system --cronjob
# Check hardeningsudo lynis audit system --details
# Quick scansudo lynis quick34.7 Interview Questions
Section titled “34.7 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is Fail2Ban?
- Intrusion prevention system that bans IPs after failed attempts
-
What is the difference between IDS and IPS?
- IDS detects; IPS prevents (active blocking)
-
What is AIDE?
- File integrity monitoring tool
-
How does Fail2Ban work?
- Monitors log files, regex matching, bans via iptables
-
What is OSSEC?
- Host-based intrusion detection system
Intermediate Questions
Section titled “Intermediate Questions”-
What are the main components of Fail2Ban?
- Filters, Actions, Jails
-
How do you whitelist an IP in Fail2Ban?
- Add to ignoreip in jail.local
-
What is the purpose of findtime in Fail2Ban?
- Time window for counting retries
-
How do you create a custom Fail2Ban jail?
- Create filter in /etc/fail2ban/filter.d/ and jail in jail.local
-
What is rootkit detection?
- Detecting hidden malicious software
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Not Monitoring IDS Alerts
Section titled “1. Not Monitoring IDS Alerts”# ❌ WRONG: Installing IDS but ignoring alerts# Fail2Ban bans but never checks who's being banned# No review of OSSEC alerts
# ✅ CORRECT: Set up alerting# Fail2Ban: Configure email notificationsaction = %(action_mwl)s
# OSSEC: Email alerts<email_notification>yes</email_notification><email_to>security@example.com</email_to>2. Not Maintaining AIDE Database
Section titled “2. Not Maintaining AIDE Database”# ❌ WRONG: AIDE database never updated# After legitimate changes, everything looks like an alert!
# ✅ CORRECT: Update database after changesaide --update # After system updatesaide --check # Regular checks# Schedule in cron0 3 * * * /usr/sbin/aide --check3. Overly Permissive Fail2Ban Jails
Section titled “3. Overly Permissive Fail2Ban Jails”# ❌ WRONG: Too aggressive banningbantime = -1 # Permanent ban!findtime = 1 # 1 minute!maxretry = 1 # Single mistake = ban
# ✅ CORRECT: Balanced settingsbantime = 3600 # 1 hourfindtime = 600 # 10 minutesmaxretry = 5 # 5 attempts4. Not Running Regular Scans
Section titled “4. Not Running Regular Scans”# ❌ WRONG: Only running RKHunter when breached# Should run regularly as proactive measure
# ✅ CORRECT: Schedule regular scans# /etc/cron.d/rkhunter0 3 * * * /usr/bin/rkhunter --check --cronjob
# Lynis weeklyexec 0 4 * * 0 /usr/bin/lynis audit system --cronSummary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Fail2Ban: || +----------------------------------------------------------+ || | sudo fail2ban-client status | Status | || | sudo fail2ban-client set sshd banip | Ban IP | || | sudo fail2ban-client set sshd unbanip | Unban IP | || +----------------------------------------------------------+ || || AIDE: || +----------------------------------------------------------+ || | sudo aide --init | Initialize | || | sudo aide --check | Check integrity | || | sudo aide --update | Update DB | || +----------------------------------------------------------+ || || OSSEC: || +----------------------------------------------------------+ || | /var/ossec/bin/ossec-control start| Start | || | tail -f /var/ossec/logs/alerts/ | View alerts | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+