Basic question.
How can I install an upgraded version of Fail2Ban on my Ubuntu 12.04.5 LTS (Precise Pangolin) so I can have a recidive filter set. Ubuntu 12.04.5 LTS installs Fail2Ban 0.8.6 and I need Fail2Ban 0.8.7 to use the recidive filter.
More details.
I manage a bunch of Ubuntu 12.04.5 LTS (Precise Pangolin) servers and have installed Fail2Ban specifically to block repeated SSH brute force attempts. These attacks are targeted at root and the root user is disabled on all of these systems, but I just want to add another layer of protection to my mix as well as cut down on the added “noise” of having to sift through failed login attempts in my SSH auth.log.
Anyway, the version of Fail2Ban—version 0.8.6—that is installed for Ubuntu 12.04.5 LTS from the default repositories works great for the most part. But it seems to be missing support for blocking repeat offenders. And these servers are definitely getting a lot of persistent brute force attempts. So I want to make sure that these clowns are blocked for a longer time.
I checked this blog post titled, “Permanently Ban Repeat Offenders With fail2ban (UPDATED)” and it recommends using the recidive filter. The rest of that post shows how to set up a customized equivalent of recidive but I don’t have any desire to use a custom solution if a built in solution such as recidive exists.
But when I attempt to set the recidive filter in Fail2Ban 0.8.6 and restart the service, it fails saying the filter recidive doesn’t exist.
When I check the Fail2Ban changelog on GitHub I can see that recidive support was added around version 0.8.7:
Tom Hendrikx
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
repeated offenders. Close gh-19
Well, isn’t that special. I’m using 0.8.6 and version 0.8.7 has support for this.
So how can I easily install anything newer than Fail2Ban 0.8.6 on Ubuntu 12.04.5 LTS? I tried to install version 0.9.3 by cloning the GitHub repository, switching to the Debian branch (since Ubuntu is Debian-based) and it seemed to work. But the startup service didn’t work and it also seems like that 0.9.3 won’t work with the version of IPTables I have installed in Ubuntu 12.04.5 LTS unless I tweak some config files or possibly upgrade IPTables itself.
Maybe there’s a way to tweak it all to work for Ubuntu 12.04.5 LTS but I don’t have the time or will to deal with that since all I want is recidive support and don’t care about anything else. What can I do?
After getting frustrated attempting to install Fail2Ban 0.9.3 from source, I searched for a custom PPA and found none. But then stumbled across the the official Ubuntu package page for Fail2Ban and it gave me an idea. The official Ubuntu 14.10 (Utopic Unicorn) package for Fail2Ban is at version 0.8.13. Why not install that?
So I got rid of the Ubuntu 12.04.5 install of Fail2Ban like this:
Then I installed some Fail2Ban dependencies manually like this:
With that done, I grabbed the raw, source Ubuntu
.debarchive for Fail2Ban 0.8.13 like this:And then I installed it with
dpkglike this:When that was done, I checked the version of the stuff installed like this:
And it worked!
With Fail2Ban 0.8.13, I can now add a
recidivefilter to/etc/fail2ban/jail.localand everything works as expected.NOTE: Please note, that while this all seems to work—and since this is a self-answered question—if anyone out there believes or suspects that this kind of setup of installing an Ubuntu 14.10 package into Ubuntu 12.04.5 is a problem waiting to happen, please let me know. Since Fail2Ban is all Python-based and it seems to work as expected now, I suspect this package was lightweight enough not to run into any problems. But let me know if my assumption is incorrect.
I had a similar issue. Am on Ubu 14.04.05 64-bit with the repo version Fail2ban v0.8.11.
Wanted v0.8.14, which is listed as "very-stable" on the main Fail2ban website.
Turns out you can just download the later version and run its setup.py to overwrite v0.8.11. There is no need to remove (uninstall) v0.8.11 nor do you need to install other dependencies. However, there's one gotcha which I will describe below.
Anyway here's my solution:
Install Fail2ban from repo, if you have not already done so
Check the Fail2ban version, then stop it
Download v0.8.14 from Github, untar
IMPORTANT, DO NOT SKIP THIS: Copy the current fail2ban.conf and jail.conf from /etc/fail2ban to somewhere safe. Create a new folder if needed. Don't worry about jail.local.
Run the setup.py for v0.8.14
Move the two .conf files you copied earlier back into /etc/fail2ban, overwriting the ones created by the v0.8.14 setup.
Start fail2ban, check version
As we did not do a "remove" of Fail2ban, there is no need to mess with the init or startup scripts; Fail2ban will still launch on reboot.
The backing up of .conf files is important because the v0.8.14 setup.py may generate invalid .conf files which will cause Fail2ban not to run. (It will likely quit with a "Have not found any log file" error)