How does blocking specific ports with fail2ban compare against blocking all ports

fail2banintrusion-prevention

I am setting up fail2ban for my EC2 instances, each of which have different services running. Hence, I am configuring the jails specifically for each service. I have two questions (for which I could not find an answer elsewhere):

  1. If an IP gets blocked by fail2ban for failed authentication against one port, will that user still be able to get in through other open ports?
  2. How does blocking specific ports compare against blocking all ports using the configuration mentioned here? Wouldn't it be more secure to block all open ports since ultimately I do not want the hacker to get in?

Best Answer

(Assuming the OS is Linux)

fail2ban is a well made tool, blessed with a high level of configuration.

On Linux Ubuntu, the configuration is in /etc/fail2ban

Question 1

Unless you change the configuration, only the port(s) mentioned in jail.conf for the particular service will be blocked.

Question 2

You could also block all ports. It depends on the level of security you want, but blocking all ports can have drawbacks.

Personally, I prefer to block only the port that has been abused. Because

  • if other ports are also abused (and if they're declared in jail.conf), they'll be blocked as well
  • some IP addresses are shared by a whole company, or many people ; so by blocking all ports for an abuse of ssh, you will prevent everybody on that address to access http/s for instance
  • you might also be affected by a total blocking. For instance you make a few password mistakes using ssh, and another port that would allow a different access, from the provider for instance, won't be accessible.

To block more, or all ports, you can modify the jail.conf file.

Some of the default attributes are, (in [DEFAULT])

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# Ports to be banned (Usually should be overridden in a particular jail)
port = 0:65535

i.e., all ports.

For [sshd] for instance (and all services) port is redefined

[sshd]
port    = ssh

You could simply comment out the port line to be back to the defaults, but I'd add a comment, and a new port line for easier maintenance (other people / you in 3 years)

[sshd]
# 25 Aug 2020 Rohit, block all ports
#port    = ssh
port = 0:65535

Changing the default

You will see in the action.d directory the list of possible actions. The default in jail.conf,

banaction = iptables-multiport

that can also be changed to

banaction = iptables-allports

that would affect all services not redefining banaction.

Restarting fail2ban

Then restart the service, for systemd

systemctl restart fail2ban.service

or

service fail2ban restart

(FYI, the filter.d directory lists for each service the way fail2ban detects an intrusion attempt)

Check also the comments below that may provide valuable information.

Related Topic