Skip to main content

Fail2ban - Protect Linux server against brute-force attacks, Pentesting with Hydra

499 words·
Fail2ban Brute-Force Hydra Pentesting Linux
Table of Contents

Fail2ban
#

Fail2ban protects against brute-force attacks.

Install Fail2ban (Ubuntu)
#

# Install Fail2ban
sudo apt update && sudo apt install fail2ban -y

# Start and enable service
sudo systemctl start fail2ban && sudo systemctl enable fail2ban
# Check status
sudo systemctl status fail2ban

# List commands
fail2ban-client -h

Debian
#

# Install rsyslog to save authentication logs in /var/log/auth.log
sudo apt install rsyslog -y

Configuration
#

# Copy the default config file (jail.conf can be overwritten in updates)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Open configuration file
sudo vi /etc/fail2ban/jail.local

Beneath the default section [DEFAULT] are sections for specific services that can be used to override the default settings.

Example SSH service:

[sshd]

enabled     = true
port        = ssh
logpath     = %(sshd_log)s
backend     = %(sshd_backend)s
ignoreip    = 127.0.0.1, 192.168.30.61/32
bantime     = 60m
findtime    = 10m
maxretry    = 5
  • ignoreip IP addresses or entire subnets that should be ignored by the banning system

  • bantime Length of a ban in seconds, ghe default is 10 minutes

  • findtime Time window that Fail2ban will count the number of failed attempts

  • maxretry Number of failed attempts that will be tolerated within the findtime window before a ban is instituted

# Restart fail2ban services after configuration changes
sudo systemctl restart fail2ban

Jail Status
#

# Check the status of the sshd jail
sudo fail2ban-client status sshd

# Shell output:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     8
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.30.60
  • Currently failed The number of failed login attempts that have been detected since the last time Fail2Ban successfully banned an IP address or since Fail2Ban was restarted.

  • Total failed The total number of failed login attempts detected since the jail was started, regardless of whether they resulted in an IP being banned.

  • File list This shows the log files that Fail2Ban is monitoring for this particular jail.

# Fail2ban log
/var/log/fail2ban.log

Unbanning an IP Address
#

# Unban IP: Syntax
sudo fail2ban-client set <jail-name> unbanip <IP-address>

# Unban IP: Example
sudo fail2ban-client set sshd unbanip 192.168.30.60

Pentesting
#

Hydra
#

Hydra can be used for various protocols such as FTP, SSH, HTTPS.

# Install Hydra package
sudo apt install hydra-gtk -y

# Verify installation / open documentation
hydra -h
# Define username & passwordlist
hydra -t 4 -l username -P passlist.txt ssh://192.168.30.90

# Define userlist & passwordlist
hydra -t 4 -L userlist.txt -P passlist.txt ssh://192.168.30.90

# Define userlist, passwordlist, targetslist
hydra -t 4 -L logins.txt -P passlist.txt -M targets.txt ssh
  • -o hydra_output.txt Save output to file: Valid passwords, login names & hosts

  • -t 4 Limit the number of parallel tasks

  • -V Verbose output

  • -s 2022 Custom SSH port

  • -e nsr More options: “n” no PW, “s” same PW as username, “r” password is reverse username

The userlist.txt and passlist.txt files are expected to be in the current working directory, otherwise define the path.


Links #

# GitHub Page
https://github.com/fail2ban/fail2ban