Skip to main content

Fail2ban

This document describes how to configure fail2ban with FMD Server.

Background

FMD Server already rate-limits login attempts on an application level. However, this is only on a per-user basis: after 5 failed login attempts, FMD Server locks the account in question and sends a push to the device informing the user about the intrusion attempt.

fail2ban works across all user accounts on an FMD Server instance. It works on a per-IP basis. If an IP tries to log into many different accounts and fails, fail2ban will detect and block this.

This works because for failed login attempts, FMD Server logs the IP address. fail2ban can be configured to parse these logs, to extract the IP addresses, and to block an IP address if it sends too many failing login requests.

Inspecting syslog

The fail2ban configuration below assumes that FMD Server is logging to syslog. To view the logs:

journalctl -t fmd-server
journalctl -q _SYSTEMD_UNIT=fmd-server-prod.service

Forwarding the real IP

If you are running behind a reverse proxy, you must make sure that FMD Server can learn the real IP addresses of the clients. Otherwise, FMD Server will think that your reverse proxy is making all the requests, and fail2ban will block your reverse proxy!

To do this:

  1. Set the RemoteIpHeader option in the config.yml to a header field name, for example, to X-Real-IP.
  2. Configure your reverse proxy to set this header field and to set the header field value to the IP address of the client making the request.
    • For example, in nginx: proxy_set_header X-Real-IP $remote_addr;

Configuring fail2ban

  1. Do all of the following as root!

  2. Install fail2ban. On Debian: sudo apt install fail2ban

  3. Install the filter, by creating the file /etc/fail2ban/filter.d/fmd-server.local with the following content:

    # Filter for FMD Server

    [INCLUDES]
    before = common.conf

    [Definition]
    # Optional port after ADDR
    failregex = ^.*"remoteIp":"<ADDR>:?\d*".*"message":"(?:failed|blocked) login attempt".*$

  4. Install the jail, by creating the file /etc/fail2ban/jail.d/fmd-server.local with the following content:

    # Jail for FMD Server

    [fmd-server]
    enabled = true
    # https://man.archlinux.org/man/jail.conf.5#systemd
    backend = systemd[journalflags=1]
    journalmatch = SYSLOG_IDENTIFIER=fmd-server

  5. Both the filter and the jail file should be owned by root:root and have permissions 0644.

  6. Restart fail2ban: sudo service fail2ban restart

  7. View the status of the fmd-server jail:

    $ sudo fail2ban-client status fmd-server
    Status for the jail: fmd-server
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     1
    |  `- Journal matches:  SYSLOG_IDENTIFIER=fmd-server
    `- Actions
    |- Currently banned: 1
    |- Total banned:     1
    `- Banned IP list:   10.0.0.100

  8. Manually make some failing login attempts from another device. Inspect syslog and fail2ban-client to verify that they are detected.

Debugging

To manually test the filter regex:

sudo fail2ban-regex -v --journalmatch='SYSLOG_IDENTIFIER="fmd-server"' systemd-journal[journalflags=1] fmd-server