Differences

This shows you the differences between two versions of the page.

--- fail2ban [2009/06/18 08:01] – k2patel
+++ fail2ban [2020/08/10 02:35] (current) – external edit 127.0.0.1
@@ Line 50: / Line 50: @@
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
-ignoreip = 127.0.0.1 192.168.0.99
+ignoreip = 127.0.0.1 192.168.1.4
 # "bantime" is the number of seconds that a host is banned.
@@ Line 77: / Line 77: @@
 enabled  = true
 filter   = sshd
-action   = iptables[name=SSH, port=ssh, protocol=tcp]
+action   = iptables-new[name=SSH, port=ssh, protocol=tcp]
-           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
+           sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]
 logpath  = /var/log/secure
 maxretry = 5
+[kernel-iptables]
+enabled  = true
+filter   = kernel
+action   = iptables-allports[name=kernel, protocol=all]
+           sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com]
+logpath  = /var/log/messages
+maxretry = 2
@@ Line 88: / Line 99: @@
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=ProFTPD, dest=you@mail.com]
+           sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com]
 logpath  = /var/log/secure
 maxretry = 6
@@ Line 99: / Line 110: @@
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
-           sendmail-whois[name=sasl, dest=you@mail.com]
+           sendmail-whois[name=sasl, dest=receiver@lithiumfox.com]
 logpath  = /var/log/maillog
@@ Line 117: / Line 128: @@
 filter   = postfix
 action   = hostsdeny
-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=receiver@lithiumfox.com]
 logpath  = /var/log/maillog
 bantime  = 300
@@ Line 198: / Line 209: @@
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
+           sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com]
 logpath  = /var/log/secure
 ignoreip = 168.192.0.1
@@ Line 208: / Line 219: @@
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
 logpath  = /var/log/secure
 ignoreip = 168.192.0.1
@@ Line 218: / Line 229: @@
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
 logpath  = /var/log/secure
 ignoreip = 168.192.0.1
 </code>
+NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\
+which require you to create new file as below.
+<code bash | /etc/fail2ban/filter.d/kernel.conf>
+# Fail2Ban configuration file
+#
+# Author: K2patel
+#
+# $Revision: 1 $
+#
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = Treason uncloaked! Peer <HOST>:.*$
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+</code>
+Restart service now
+<code bash>
+/etc/init.d/fail2ban restart
+</code>
+==== Issue && Fixes ====
+== My server did not get started ==
+First thing try to run your server from command line.\\
+usually following command will do it.\\
+<code bash>
+/usr/bin/fail2ban-client -c /etc/fail2ban start
+</code>
+this will print the errors on your screen.\\
+resolve error or google it if dont know how to.
+== Sock file is not get removed during start ==
+check if this file exists.
+<code bash>
+/var/run/fail2ban/fail2ban.sock
+</code>
+Your can fix that issue by adding -x in your startup script.\\
+This issue appear if your fail2ban is get started using "fail2ban-client".\\
+e.g.
+<code bash>
+/usr/bin/fail2ban-client -x -c /etc/fail2ban start
+</code>
+test test test.
+==== How to test regex for logs ====
+As good software it come with good utility called "fail2ban-regex"\\
+which help you to test your regex against your log as well your custom string.
+<code bash>
+fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$'
+</code>
+OR
+<code bash>
+fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$'
+</code>
+which provides you result if your strings match.\\
+==== Rotate log ====
+As your standard installation from distribution will generate log on the system.\\
+So it is necessary to rotate it to avoid any file limit.\\
+<code bash | /etc/logrotate.d/fail2ban>
+/var/log/fail2ban.log {
+    weekly
+    rotate 7
+    missingok
+    compress
+    size 4M
+    postrotate
+      /etc/init.d/fail2ban reload
+    endscript
+}
+</code>
+If you do not have init script you can use following code to reload fail2ban as postrotate command.
+<code bash>
+/usr/bin/fail2ban-client reload 1>/dev/null || true
+</code>
+NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
+==== Final Words ====
+you can check blocked ip using following command
+<code bash>
+iptables -L
+</code>
+Hope fully this will help you