Home / server / Questions / 1031390
In Process
Rohit Gavval
Asked: 2020-08-26 02:22:54 +0800 CST

How does blocking specific ports with fail2ban compare against blocking all ports?

  • 772

I am setting up fail2ban for my EC2 instances, each of which have different services running. Hence, I am configuring the jails specifically for each service. I have two questions (for which I could not find an answer elsewhere):

  1. If an IP gets blocked by fail2ban for failed authentication against one port, will that user still be able to get in through other open ports?
  2. How does blocking specific ports compare against blocking all ports using the configuration mentioned here? Wouldn't it be more secure to block all open ports since ultimately I do not want the hacker to get in?
fail2ban intrusion-prevention

1 Answers

  1. (Assuming the OS is Linux)

    fail2ban is a well made tool, blessed with a high level of configuration.

    On Linux Ubuntu, the configuration is in /etc/fail2ban

    Question 1

    Unless you change the configuration, only the port(s) mentioned in jail.conf for the particular service will be blocked.

    Question 2

    You could also block all ports. It depends on the level of security you want, but blocking all ports can have drawbacks.

    Personally, I prefer to block only the port that has been abused. Because

    • if other ports are also abused (and if they're declared in jail.conf), they'll be blocked as well
    • some IP addresses are shared by a whole company, or many people ; so by blocking all ports for an abuse of ssh, you will prevent everybody on that address to access http/s for instance
    • you might also be affected by a total blocking. For instance you make a few password mistakes using ssh, and another port that would allow a different access, from the provider for instance, won't be accessible.

    To block more, or all ports, you can modify the jail.conf file.

    Some of the default attributes are, (in [DEFAULT])

    # "bantime" is the number of seconds that a host is banned.
bantime  = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# Ports to be banned (Usually should be overridden in a particular jail)
port = 0:65535

    i.e., all ports.

    For [sshd] for instance (and all services) port is redefined

    [sshd]
port    = ssh

    You could simply comment out the port line to be back to the defaults, but I'd add a comment, and a new port line for easier maintenance (other people / you in 3 years)

    [sshd]
# 25 Aug 2020 Rohit, block all ports
#port    = ssh
port = 0:65535

    Changing the default

    You will see in the action.d directory the list of possible actions. The default in jail.conf,

    banaction = iptables-multiport

    that can also be changed to

    banaction = iptables-allports

    that would affect all services not redefining banaction.

    Restarting fail2ban

    Then restart the service, for systemd

    systemctl restart fail2ban.service

    or

    service fail2ban restart

    (FYI, the filter.d directory lists for each service the way fail2ban detects an intrusion attempt)

    Check also the comments below that may provide valuable information.

    • 1