How to use Fail2ban

Ban malicious software by example

Photo by Kyle Glenn on Unsplash

What is Fail2ban

Fail2ban is an open-source software tool used for monitoring log files and banning IP addresses that show malicious signs, such as too many failed login attempts. It is commonly used as a security measure to protect servers against brute-force attacks and other types of malicious activity.

Fail2ban works by monitoring log files generated by services such as SSH, Apache, and others, and whenever it detects a pattern of unsuccessful login attempts or other malicious activity, it will automatically ban the IP address responsible by adding it to the firewall rules. The banned IP addresses are then un-banned after a certain amount of time has passed, or when the log files show no further malicious activity.

Fail2ban is highly configurable, allowing administrators to specify the log files to be monitored, the patterns to look for, the IP addresses to ban, and the length of time the ban will remain in place. With its ease of use and high level of customization, it is a popular tool for securing servers and protecting against malicious activity.

Example for banning Tor

While Tor (The Onion Router) was designed with the goal of providing privacy and anonymity for users on the internet, there are also some potential harmful aspects of using the Tor network. Some individuals and organizations have used the network to distribute malware, viruses, and other harmful software. This is particularly dangerous for users who may be unwittingly downloading and installing malicious software while using the Tor network.

1. Exploits and vulnerabilities: The Tor network and its associated software are not immune to exploits and vulnerabilities. Attackers have been known to target weaknesses in the network or in individual nodes, which can allow them to view and potentially intercept user data.
2. Exit node eavesdropping: One potential weakness of the Tor network is that the data being transmitted can be intercepted by malicious actors who are running exit nodes. An exit node is the last node in the chain of nodes that a user’s data passes through before it reaches its destination. If the operator of an exit node is malicious, they could potentially view and even modify the data that is being transmitted.

If your server has been targeted by hackers, you may find evidence of malicious software associated with the Tor network. For example, you might discover instances of “kdevtmpfsi” or “bitlz64” — these are mining software that can consume your entire CPU or cause a high volume of network outgoing traffic. If you are using a cloud provider, this malicious software could result in unexpectedly high charges.

To remove tor process, you can do the following things:

Editing fail2ban config /etc/fail2ban/jail.local after you install fail2ban, pasting the follwing config:

[tor]
enabled  = true
bantime  = 25h
action   = iptables-allports[name=fail2banTOR, protocol=all]

Then update(or create) a file in /etc/systemd/system/fail2ban.service.d/limits.conf

[Service]
LimitNOFILE=2048

Then running sudo systemctl daemon-reload, sudo service fail2ban restart to make the changes be applied by fail2ban.

Finally, you need to import the known tor IPs provide by torbulkexitlist. Here has a script created by this gist:

curl -fsSL "https://check.torproject.org/torbulkexitlist" | sed '/^#/d' | while read IP; do
  sudo fail2ban-client set "tor" banip "$IP"
done

You can finally use fail2ban-client status tor to check if the IPs are correctly import into ban list

Note

If you see the previous gist, there has a step that need to create dummy files. It’s not necessary to add a dummy file to /etc/fail2ban/filter.d/tor.conf in order to use Fail2ban. In fact, this is not a recommended practice.

If you want to protect your server from malicious activity coming from the Tor network, you should create a filter that matches the relevant log entries and specify the appropriate actions to be taken when a match is detected. You can create a new filter file in /etc/fail2ban/filter.d/ with a .conf extension, and configure it according to your requirements. For example, you could create a filter file /etc/fail2ban/filter.d/tor.conf that matches log entries related to unauthorized access attempts and bans the offending IP addresses.

It’s important to note that the filter file is just one part of the overall Fail2ban configuration, and that you should also configure the relevant jail file to use the filter and specify the desired actions to be taken. The jail file is typically located in /etc/fail2ban/jail.conf or in a separate file in the /etc/fail2ban/jail.d/ directory.

It’s also worth noting that there are some pre-existing Tor filters available that you can use as a starting point. You can find these filters online or in the Fail2ban documentation.