Table of Contents
Fail2Ban
Nice - Lightweight - Protection to linux box
You can do more than expected with this utility.
Here i am using SSH and FTP setting to protect my bandwidth from script kidies.
Installation
Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.
Following is the installation procedure for the centOS.
yum install fail2ban
Enable fail2ban during system startup. and start it
chkconfig --levels 235 fail2ban on /etc/init.d/fail2ban start
Configuration
Configuration file is named as jail.conf located at “/etc/fail2ban”
Following Options you might consider to setup before proceed.
ignoreip - you might be consider setting your known ip in this section bantime - time specified here is in seconds maxretry - ban after any ip cross this limit. filter - specify filter file e.g. /etc/fail2ban/filter.d action - specify action file e.g. /etc/fail2ban/action.d logpath - where fail2ban look for log
Sample Config file
- | /etc/fail2ban/jail.conf
# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 617 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.1.4 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto [ssh-iptables] enabled = true filter = sshd action = iptables-new[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] logpath = /var/log/secure maxretry = 5 [kernel-iptables] enabled = true filter = kernel action = iptables-allports[name=kernel, protocol=all] sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] logpath = /var/log/messages maxretry = 2 [proftpd-iptables] enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com] logpath = /var/log/secure maxretry = 6 [sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=receiver@lithiumfox.com] logpath = /var/log/maillog [apache-tcpwrapper] enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/httpd/*error_log maxretry = 6 [postfix-tcpwrapper] enabled = true filter = postfix action = hostsdeny sendmail[name=Postfix, dest=receiver@lithiumfox.com] logpath = /var/log/maillog bantime = 300 [courierpop3] enabled = true port = pop3 filter = courierlogin action = iptables[name=%(__name__)s, port=%(port)s] logpath = /var/log/maillog maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin action = iptables[name=%(__name__)s, port=%(port)s] logpath = /var/log/maillog maxretry = 5 [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=you@mail.com] ignoreregex = for myuser from logpath = /var/log/secure [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /var/log/secure maxretry = 5 bantime = 1800 [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /var/log/secure maxretry = 5 bantime = 1800 [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] logpath = /var/log/httpd/*access_log bantime = 172800 maxretry = 1 [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Apache, dest=you@mail.com] logpath = /var/log/httpd/error_log [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com] logpath = /var/log/secure ignoreip = 168.192.0.1 [named-refused-udp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] sendmail-whois[name=Named, dest=receiver@lithiumfox.com] logpath = /var/log/secure ignoreip = 168.192.0.1 [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=receiver@lithiumfox.com] logpath = /var/log/secure ignoreip = 168.192.0.1
NOTE : In above configuration i am using custom config file for “Treason uncloaked!”
which require you to create new file as below.
- | /etc/fail2ban/filter.d/kernel.conf
# Fail2Ban configuration file # # Author: K2patel # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = Treason uncloaked! Peer <HOST>:.*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Restart service now
/etc/init.d/fail2ban restart
Issue && Fixes
My server did not get started
First thing try to run your server from command line.
usually following command will do it.
/usr/bin/fail2ban-client -c /etc/fail2ban start
this will print the errors on your screen.
resolve error or google it if dont know how to.
Sock file is not get removed during start
check if this file exists.
/var/run/fail2ban/fail2ban.sock
Your can fix that issue by adding -x in your startup script.
This issue appear if your fail2ban is get started using “fail2ban-client”.
e.g.
/usr/bin/fail2ban-client -x -c /etc/fail2ban start
test test test.
How to test regex for logs
As good software it come with good utility called “fail2ban-regex”
which help you to test your regex against your log as well your custom string.
fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$'
OR
fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$'
which provides you result if your strings match.
Rotate log
As your standard installation from distribution will generate log on the system.
So it is necessary to rotate it to avoid any file limit.
- | /etc/logrotate.d/fail2ban
/var/log/fail2ban.log { weekly rotate 7 missingok compress size 4M postrotate /etc/init.d/fail2ban reload endscript }
If you do not have init script you can use following code to reload fail2ban as postrotate command.
/usr/bin/fail2ban-client reload 1>/dev/null || true
NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
Final Words
you can check blocked ip using following command
iptables -L
Hope fully this will help you