fail2ban automatic Intrusion Detection and Prevention software

ftpuzerfail2ban ips/ids works on any Linux server and protects your system with automatic firewall block of anyone trying to access your server maliciously and block their public ip for periods or indefinitely.

The Ban can be extended and the amount of invalid passwords or invalid page requests and can be triggered to tighten the prevention of abuse of the server.

Install fail2ban using you favorite package manager

apt-get install fail2ban
yum install fail2ban

service fail2ban start

show firewall rules including any blocked IPs:

root@someserver:/etc/fail2ban/jail.d# iptable -list
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp — anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all — 148.252.128.163 anywhere reject-with icmp-port-unreachable <——Banned Ip for jail sshd
RETURN all — anywhere anywhere

remove Baned IP from iptables
!***However this leaves to IP still listed in fail2ban and wont block again, so see next section

root@someserver:/etc/fail2ban/jail.d# iptables -D f2b-sshd 1
at

Need to remove this from fail2ban

<pre>root@someserver:/etc/fail2ban/jail.d# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
</pre>

list the contents of the jail

root@someserver:/etc/fail2ban/jail.d# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 11
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 148.252.128.163

unban ip
fail2ban-client set sshd unbanip 148.252.128.163

check the ban is off

tail -f /var/log/fail2ban.log
2018-06-30 09:09:03,416 fail2ban.actions [18644]: NOTICE [sshd] Unban 148.252.128.163

When testing and using an invalid user and password using ssh, it triggers regex 3 times:

2018-06-30 09:10:52,845 fail2ban.filter [18644]: INFO [sshd] Found 148.252.128.163
2018-06-30 09:11:00,098 fail2ban.filter [18644]: INFO [sshd] Found 148.252.128.163
2018-06-30 09:11:06,266 fail2ban.filter [18644]: INFO [sshd] Found 148.252.128.163
2018-06-30 09:11:06,274 fail2ban.actions [18644]: NOTICE [sshd] Ban 148.252.128.163 <——Ban enforced after 3 retries(maxretry)

The default for ssh is 5 retry’s in 60 Seconds. I have decreased this to 3 by adding entry ‘maxretry = 3’ to file in /etc/fail2ban/jails.d

Further Details and full list of commands
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options

How to Manually Unblock / Unban IP Address in fail2ban

Changing WordPress Author of Article from Admin user

Its not good practice to list the authors of a wordpress arcticle, especially if they are an admin user of wordpress. This would give a hacker valid username and they can then attempt to guess the password and then have full access to wordpress site.

Should you need to change the name of the Author who wrote an arcticle or ‘post’ in wordpress, here’s the Dbase sql statement to do that:

  • login to mysql database on linux command line as wordpress user mysql -uwpressuser -p  wordpressdb
  • find list of users and there author id’s

select * from wp_users;

  • Then find list of articles and list by author with id 1

select ID,post_author, post_date, post_title from wp_posts where post_author=1;

Finally, to alter the posts author ID to an alternative NON admin user:

update wp_posts SET post_author=5 where ID=238;

If you would like to remove the users name altogether from future posts read this