Linux – How to upgrade Fail2Ban in Ubuntu 12.04.5 LTS to get the “recidive” filter installed

debianfail2banlinuxsshUbuntu

Basic question.

How can I install an upgraded version of Fail2Ban on my Ubuntu 12.04.5 LTS (Precise Pangolin) so I can have a recidive filter set. Ubuntu 12.04.5 LTS installs Fail2Ban 0.8.6 and I need Fail2Ban 0.8.7 to use the recidive filter.

More details.

I manage a bunch of Ubuntu 12.04.5 LTS (Precise Pangolin) servers and have installed Fail2Ban specifically to block repeated SSH brute force attempts. These attacks are targeted at root and the root user is disabled on all of these systems, but I just want to add another layer of protection to my mix as well as cut down on the added “noise” of having to sift through failed login attempts in my SSH auth.log.

Anyway, the version of Fail2Ban—version 0.8.6—that is installed for Ubuntu 12.04.5 LTS from the default repositories works great for the most part. But it seems to be missing support for blocking repeat offenders. And these servers are definitely getting a lot of persistent brute force attempts. So I want to make sure that these clowns are blocked for a longer time.

I checked this blog post titled, “Permanently Ban Repeat Offenders With fail2ban (UPDATED)” and it recommends using the recidive filter. The rest of that post shows how to set up a customized equivalent of recidive but I don’t have any desire to use a custom solution if a built in solution such as recidive exists.

But when I attempt to set the recidive filter in Fail2Ban 0.8.6 and restart the service, it fails saying the filter recidive doesn’t exist.

When I check the Fail2Ban changelog on GitHub I can see that recidive support was added around version 0.8.7:

Tom Hendrikx
 * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
   repeated offenders. Close gh-19

Well, isn’t that special. I’m using 0.8.6 and version 0.8.7 has support for this.

So how can I easily install anything newer than Fail2Ban 0.8.6 on Ubuntu 12.04.5 LTS? I tried to install version 0.9.3 by cloning the GitHub repository, switching to the Debian branch (since Ubuntu is Debian-based) and it seemed to work. But the startup service didn’t work and it also seems like that 0.9.3 won’t work with the version of IPTables I have installed in Ubuntu 12.04.5 LTS unless I tweak some config files or possibly upgrade IPTables itself.

Maybe there’s a way to tweak it all to work for Ubuntu 12.04.5 LTS but I don’t have the time or will to deal with that since all I want is recidive support and don’t care about anything else. What can I do?

Best Answer

After getting frustrated attempting to install Fail2Ban 0.9.3 from source, I searched for a custom PPA and found none. But then stumbled across the the official Ubuntu package page for Fail2Ban and it gave me an idea. The official Ubuntu 14.10 (Utopic Unicorn) package for Fail2Ban is at version 0.8.13. Why not install that?

So I got rid of the Ubuntu 12.04.5 install of Fail2Ban like this:

sudo aptitude purge fail2ban

Then I installed some Fail2Ban dependencies manually like this:

sudo aptitude install gamin libgamin0 python-central python-gamin python-support

With that done, I grabbed the raw, source Ubuntu .deb archive for Fail2Ban 0.8.13 like this:

curl -O -L http://old-releases.ubuntu.com/ubuntu/pool/universe/f/fail2ban/fail2ban_0.8.13-1_all.deb

And then I installed it with dpkg like this:

sudo dpkg -i fail2ban_0.8.13-1_all.deb

When that was done, I checked the version of the stuff installed like this:

fail2ban-client --version

And it worked!

Fail2Ban v0.8.13

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.

With Fail2Ban 0.8.13, I can now add a recidive filter to /etc/fail2ban/jail.local and everything works as expected.

NOTE: Please note, that while this all seems to work—and since this is a self-answered question—if anyone out there believes or suspects that this kind of setup of installing an Ubuntu 14.10 package into Ubuntu 12.04.5 is a problem waiting to happen, please let me know. Since Fail2Ban is all Python-based and it seems to work as expected now, I suspect this package was lightweight enough not to run into any problems. But let me know if my assumption is incorrect.

Related Solutions

Ubuntu – Can someone clarify Ubuntu (Debian) dist-upgrade for me

The command apt-get upgrade will not add or remove packages. apt-get dist-upgrade will add or remove packages as required.

The command apt-get dist-upgrade will not automatically upgrade you from one release to another unless you have also updated your sources (/etc/apt/sources.list) to point at a newer release.

man apt-get

upgrade
    upgrade is used to install the newest versions of all packages 
    currently installed on the system from the sources enumerated 
    in /etc/apt/sources.list.

dist-upgrade
    dist-upgrade, in addition to performing the function of upgrade, 
    also intelligently handles changing dependencies with new versions 
    of packages;

Are there special concerns to be aware of when doing a dist-upgrade vs upgrade?

For the most part I always apt-get dist-upgrade to apply updates to a system. Of course pay attention to exactly what new packages are being added or removed. Frequently this happens when something is being added like a newer kernel that isn't compatible with the previous and you will have to recompile modules. If you have some kernel module you had to build on your own, then you may need to make sure you recompile it for the new kernel. I have a couple systems with network interfaces not supported by the stock kernel that I have to recompile the network driver after each kernel update.

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

While fail2ban creates an iptables chain per service (eg fail2ban-ssh), the check for an existing ban is based on the IP address. A possibility to fix the problem is to make fail2ban unban an IP (ticket) if it is already in the banned-list just before it is going to ban it (again)

These actions happen in the python script located (when installed via apt-get install) in

/usr/share/fail2ban/server

edit the file actions.py, you should see the following code for the __checkban definition

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                if self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                        for action in self.__actions:
                                action.execActionBan(aInfo)
                        return True
                else:
                       logSys.warn("[%s] %s already banned" % (self.jail.getName(), aInfo["ip"]))
        return False

modify/replace the definition with

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                # changes from here ...
                if not self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] first unban %s before ban" % (self.jail.getName(), aInfo["ip"]))
                        self.__unBan(ticket)
                        self.__banManager.addBanTicket(bTicket)
                logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                for action in self.__actions:
                        action.execActionBan(aInfo)
                return True
                # else:
                #       logSys.warn("[%s] %s already banned" % (self.jail.getName(), 
                #                                                                                       aInfo["ip"]))
        #return False

and restart fail2ban (e.g. /etc/init.d/fail2ban restart) while it is probably not necessary...

Note: if you want to 'play around' with this, you can list the firewall (iptables) rules

iptables -L

and delete the rule that was created by fail2ban in order to access and force a "re-ban"

iptables -D fail2ban-ssh xxxx

where xxxx is the number of the rule in that chain from the list iptables -L fail2ban-ssh