Debian DokuWiki

User Tools

Site Tools

Trace:
fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
fail2ban [2009/08/21 15:43] k2patelfail2ban [2020/08/10 02:35] (current) – external edit 127.0.0.1
Line 77: Line 77:
 enabled  = true enabled  = true
 filter   = sshd filter   = sshd
-action   = iptables[name=SSH, port=ssh, protocol=tcp]+action   = iptables-new[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]            sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]
 logpath  = /var/log/secure logpath  = /var/log/secure
 maxretry = 5 maxretry = 5
 +
 +
 +[kernel-iptables]
 +
 +enabled  = true
 +filter   = kernel
 +action   = iptables-allports[name=kernel, protocol=all]
 +           sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com]
 +logpath  = /var/log/messages
 +maxretry = 2
 +
  
  
Line 222: Line 233:
 ignoreip = 168.192.0.1 ignoreip = 168.192.0.1
 </code> </code>
 +
 +NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\
 +which require you to create new file as below.
 +
 +<code bash | /etc/fail2ban/filter.d/kernel.conf>
 +# Fail2Ban configuration file
 +#
 +# Author: K2patel
 +#
 +# $Revision: 1 $
 +#
 +
 +[Definition]
 +
 +# Option:  failregex
 +# Notes.:  regex to match the password failures messages in the logfile. The
 +#          host must be matched by a group named "host". The tag "<HOST>" can
 +#          be used for standard IP/hostname matching and is only an alias for
 +#          (?:::f{4,6}:)?(?P<host>\S+)
 +# Values:  TEXT
 +#
 +failregex = Treason uncloaked! Peer <HOST>:.*$
 +
 +# Option:  ignoreregex
 +# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 +# Values:  TEXT
 +#
 +ignoreregex = 
 +</code>
 +
  
 Restart service now Restart service now
Line 252: Line 293:
 test test test. test test test.
  
 +
 +==== How to test regex for logs ====
 +
 +As good software it come with good utility called "fail2ban-regex"\\
 +which help you to test your regex against your log as well your custom string.
 +
 +<code bash>
 +fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$'
 +</code>
 +OR
 +
 +<code bash>
 +fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$'
 +</code>
 +
 +which provides you result if your strings match.\\
 +
 +==== Rotate log ====
 +
 +As your standard installation from distribution will generate log on the system.\\
 +So it is necessary to rotate it to avoid any file limit.\\
 +
 +<code bash | /etc/logrotate.d/fail2ban>
 +/var/log/fail2ban.log {
 +    weekly
 +    rotate 7
 +    missingok
 +    compress
 +    size 4M
 +    postrotate
 +      /etc/init.d/fail2ban reload
 +    endscript
 +}
 +</code>
 +
 +If you do not have init script you can use following code to reload fail2ban as postrotate command.
 +
 +<code bash>
 +/usr/bin/fail2ban-client reload 1>/dev/null || true
 +</code>
 +
 +NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
  
 ==== Final Words ==== ==== Final Words ====
fail2ban.1250869428.txt.gz · Last modified: 2020/08/10 02:30 (external edit)