Wazuh integration with Fail2ban

On November 23, 2023


What is fail2ban?

Fail2ban is an open-source software that provides a security application for servers by monitoring system logs for failed login attempts and other suspicious activities. When a user exceeds a specified number of failed logins attempts or performs any suspicious activity, Fail2ban automatically bans the user’s IP address for a specified amount of time. This helps to prevent brute-force attacks and other security threats on the server.

Fail2ban supports a wide range of services, including SSH, FTP, SMTP, HTTP, and many more. It uses regular expressions to analyze log files and identify patterns of suspicious behaviour. Fail2ban is highly customizable, allowing users to configure various parameters, such as the number of failed login attempts required for a ban and the duration of the ban.

Fail2ban is widely used in the Linux community and is considered an essential tool for securing servers against attacks. It is easy to install and configure, and it is compatible with most Linux distributions.

Architecutre of blog

Linux Server

Wazuh Server/Cluster

Integrations Steps from data sources with POC

Install Fail2ban using apt

sudo apt-get install fail2ban

Change directory to fail2ban config

cd /etc/fail2ban/jail.d/

Make a new file for ssh name sshd.conf using vim

vim sshd.conf

and add these settings

[sshd]

enabled=true

port=22

logpath=/var/log/auth.log

maxretry=3

bantime=86400

Explanation

The ssh runs on port 22 by default and its logs fall in auth.log file in /var/log. It is going to monitor those logs and check for fail logs . When the fail retry reaches 3 for a given user. That user is banned for 1 day.

Add the wazuh agent into the linux server

And add its log file path in config file and restart the agent.

<localfile>
  <log_format>syslog</log_format>    <location>/var/log/fail2ban.log
  </location>
</localfile>

.

Integrations steps from wazuh send with POC

Add decoders for fail2ban service in the

<decoder name="fail2ban">
  <prematch>fail2ban.filter</prematch>
</decoder>
<decoder name="fail2ban-fields">
  <parent>fail2ban</parent>
  <regex>(\.+): (\S+) ([\S+]) (\S+) (\d+.\d+.\d+.\d+)</regex>
  <order>extra_data,severity,service,actiontaken,srcip</order>
</decoder>

.

Restart the manager

Usecases with dashsboard

Adding fail2ban usecases

<group name="fail2ban">
<rule id="100010" level="3">
<decoded_as>fail2ban</decoded_as>
<description>Fail2ban logs</description>
</rule>
<rule id="100011" level="10">
<if_sid>100010</if_sid>
<field name="actiontaken">Unban</field>
<description>Fail2ban IP $(srcip) has been Unbanned from $(service)</description>
</rule>
<rule id="100012" level="7">
<if_sid>100010</if_sid>
<field name="actiontaken">Found</field>
<description>Fail2ban IP $(srcip) has been Found to connect to $(service)</description>
</rule>
<rule id="100013" level="12">
<if_sid>100010</if_sid>
<field name="actiontaken">^Ban</field>
<description>Fail2ban IP $(srcip) has been Banned due to multiple failed attempts in $(service)</description>
</rule>
</group>

.

Make the following dashboard

Step-1

Conclusion

Fail2ban is a very good way to block brute force attacks in ssh/apace services and can be used for servers which are internet facing with no firewall in front.


*

*

*

*