Differences

This shows you the differences between two versions of the page.

--- fail2ban [2009/06/18 07:56] – k2patel
+++ fail2ban [2020/08/10 02:35] (current) – external edit 127.0.0.1
@@ Line 31: / Line 31: @@
 logpath - where fail2ban look for log
 </code>
+Sample Config file
+<code bash | /etc/fail2ban/jail.conf >
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 617 $
+#
+# The DEFAULT allows a global definition of the options. They can be override
+# in each jail afterwards.
+[DEFAULT]
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1 192.168.1.4
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 600
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 600
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 3
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto". This option can be overridden in
+# each jail too (use "gamin" for a jail and "polling" for another).
+#
+# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
+#          is not installed, Fail2ban will use polling.
+# polling: uses a polling algorithm which does not require external libraries.
+# auto:    will choose Gamin if available and polling otherwise.
+backend = auto
+[ssh-iptables]
+enabled  = true
+filter   = sshd
+action   = iptables-new[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]
+logpath  = /var/log/secure
+maxretry = 5
+[kernel-iptables]
+enabled  = true
+filter   = kernel
+action   = iptables-allports[name=kernel, protocol=all]
+           sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com]
+logpath  = /var/log/messages
+maxretry = 2
+[proftpd-iptables]
+enabled  = true
+filter   = proftpd
+action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
+           sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com]
+logpath  = /var/log/secure
+maxretry = 6
+[sasl-iptables]
+enabled  = true
+filter   = sasl
+backend  = polling
+action   = iptables[name=sasl, port=smtp, protocol=tcp]
+           sendmail-whois[name=sasl, dest=receiver@lithiumfox.com]
+logpath  = /var/log/maillog
+[apache-tcpwrapper]
+enabled  = true
+filter   = apache-auth
+action   = hostsdeny
+logpath  = /var/log/httpd/*error_log
+maxretry = 6
+[postfix-tcpwrapper]
+enabled  = true
+filter   = postfix
+action   = hostsdeny
+           sendmail[name=Postfix, dest=receiver@lithiumfox.com]
+logpath  = /var/log/maillog
+bantime  = 300
+[courierpop3]
+enabled  = true
+port     = pop3
+filter   = courierlogin
+action   = iptables[name=%(__name__)s, port=%(port)s]
+logpath  = /var/log/maillog
+maxretry = 5
+[courierimap]
+enabled  = true
+port     = imap2
+filter   = courierlogin
+action   = iptables[name=%(__name__)s, port=%(port)s]
+logpath  = /var/log/maillog
+maxretry = 5
+[ssh-tcpwrapper]
+enabled     = false
+filter      = sshd
+action      = hostsdeny
+              sendmail-whois[name=SSH, dest=you@mail.com]
+ignoreregex = for myuser from
+logpath     = /var/log/secure
+[vsftpd-notification]
+enabled  = false
+filter   = vsftpd
+action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
+logpath  = /var/log/secure
+maxretry = 5
+bantime  = 1800
+[vsftpd-iptables]
+enabled  = false
+filter   = vsftpd
+action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
+           sendmail-whois[name=VSFTPD, dest=you@mail.com]
+logpath  = /var/log/secure
+maxretry = 5
+bantime  = 1800
+[apache-badbots]
+enabled  = false
+filter   = apache-badbots
+action   = iptables-multiport[name=BadBots, port="http,https"]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
+logpath  = /var/log/httpd/*access_log
+bantime  = 172800
+maxretry = 1
+[apache-shorewall]
+enabled  = false
+filter   = apache-noscript
+action   = shorewall
+           sendmail[name=Apache, dest=you@mail.com]
+logpath  = /var/log/httpd/error_log
+[ssh-ipfw]
+enabled  = false
+filter   = sshd
+action   = ipfw[localhost=192.168.0.1]
+           sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com]
+logpath  = /var/log/secure
+ignoreip = 168.192.0.1
+[named-refused-udp]
+enabled  = false
+filter   = named-refused
+action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
+logpath  = /var/log/secure
+ignoreip = 168.192.0.1
+[named-refused-tcp]
+enabled  = false
+filter   = named-refused
+action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
+           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
+logpath  = /var/log/secure
+ignoreip = 168.192.0.1
+</code>
+NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\
+which require you to create new file as below.
+<code bash | /etc/fail2ban/filter.d/kernel.conf>
+# Fail2Ban configuration file
+#
+# Author: K2patel
+#
+# $Revision: 1 $
+#
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = Treason uncloaked! Peer <HOST>:.*$
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+</code>
+Restart service now
+<code bash>
+/etc/init.d/fail2ban restart
+</code>
+==== Issue && Fixes ====
+== My server did not get started ==
+First thing try to run your server from command line.\\
+usually following command will do it.\\
+<code bash>
+/usr/bin/fail2ban-client -c /etc/fail2ban start
+</code>
+this will print the errors on your screen.\\
+resolve error or google it if dont know how to.
+== Sock file is not get removed during start ==
+check if this file exists.
+<code bash>
+/var/run/fail2ban/fail2ban.sock
+</code>
+Your can fix that issue by adding -x in your startup script.\\
+This issue appear if your fail2ban is get started using "fail2ban-client".\\
+e.g.
+<code bash>
+/usr/bin/fail2ban-client -x -c /etc/fail2ban start
+</code>
+test test test.
+==== How to test regex for logs ====
+As good software it come with good utility called "fail2ban-regex"\\
+which help you to test your regex against your log as well your custom string.
+<code bash>
+fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$'
+</code>
+OR
+<code bash>
+fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$'
+</code>
+which provides you result if your strings match.\\
+==== Rotate log ====
+As your standard installation from distribution will generate log on the system.\\
+So it is necessary to rotate it to avoid any file limit.\\
+<code bash | /etc/logrotate.d/fail2ban>
+/var/log/fail2ban.log {
+    weekly
+    rotate 7
+    missingok
+    compress
+    size 4M
+    postrotate
+      /etc/init.d/fail2ban reload
+    endscript
+}
+</code>
+If you do not have init script you can use following code to reload fail2ban as postrotate command.
+<code bash>
+/usr/bin/fail2ban-client reload 1>/dev/null || true
+</code>
+NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
+==== Final Words ====
+you can check blocked ip using following command
+<code bash>
+iptables -L
+</code>
+Hope fully this will help you