User Tools

Site Tools


fail2ban

Fail2Ban

Nice - Lightweight - Protection to linux box

You can do more than expected with this utility.
Here i am using SSH and FTP setting to protect my bandwidth from script kidies.

Installation

Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.
Following is the installation procedure for the centOS.

yum install fail2ban

Enable fail2ban during system startup. and start it

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

Configuration

Configuration file is named as jail.conf located at “/etc/fail2ban”
Following Options you might consider to setup before proceed.

ignoreip - you might be consider setting your known ip in this section
bantime - time specified here is in seconds
maxretry - ban after any ip cross this limit.
filter - specify filter file e.g. /etc/fail2ban/filter.d
action - specify action file e.g. /etc/fail2ban/action.d
logpath - where fail2ban look for log

Sample Config file

| /etc/fail2ban/jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
 
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.1.4
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
 
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
 
[ssh-iptables]
 
enabled  = true
filter   = sshd
action   = iptables-new[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]
logpath  = /var/log/secure
maxretry = 5
 
 
[kernel-iptables]
 
enabled  = true
filter   = kernel
action   = iptables-allports[name=kernel, protocol=all]
           sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com]
logpath  = /var/log/messages
maxretry = 2
 
 
 
[proftpd-iptables]
 
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
maxretry = 6
 
 
[sasl-iptables]
 
enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=receiver@lithiumfox.com]
logpath  = /var/log/maillog
 
 
[apache-tcpwrapper]
 
enabled  = true
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/*error_log
maxretry = 6
 
 
[postfix-tcpwrapper]
 
enabled  = true
filter   = postfix
action   = hostsdeny
           sendmail[name=Postfix, dest=receiver@lithiumfox.com]
logpath  = /var/log/maillog
bantime  = 300
 
 
[courierpop3]
 
enabled  = true
port     = pop3
filter   = courierlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
logpath  = /var/log/maillog
maxretry = 5
 
 
[courierimap]
 
enabled  = true
port     = imap2
filter   = courierlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
logpath  = /var/log/maillog
maxretry = 5
 
 
[ssh-tcpwrapper]
 
enabled     = false
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath     = /var/log/secure
 
 
[vsftpd-notification]
 
enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
 
 
[vsftpd-iptables]
 
enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
 
 
[apache-badbots]
 
enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath  = /var/log/httpd/*access_log
bantime  = 172800
maxretry = 1
 
 
[apache-shorewall]
 
enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Apache, dest=you@mail.com]
logpath  = /var/log/httpd/error_log
 
 
[ssh-ipfw]
 
enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1
 
 
[named-refused-udp]
 
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1
 
 
[named-refused-tcp]
 
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1

NOTE : In above configuration i am using custom config file for “Treason uncloaked!”
which require you to create new file as below.

| /etc/fail2ban/filter.d/kernel.conf
# Fail2Ban configuration file
#
# Author: K2patel
#
# $Revision: 1 $
#
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = Treason uncloaked! Peer <HOST>:.*$
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

Restart service now

/etc/init.d/fail2ban restart

Issue && Fixes

My server did not get started

First thing try to run your server from command line.
usually following command will do it.

/usr/bin/fail2ban-client -c /etc/fail2ban start

this will print the errors on your screen.
resolve error or google it if dont know how to.

Sock file is not get removed during start

check if this file exists.

/var/run/fail2ban/fail2ban.sock

Your can fix that issue by adding -x in your startup script.
This issue appear if your fail2ban is get started using “fail2ban-client”.
e.g.

/usr/bin/fail2ban-client -x -c /etc/fail2ban start

test test test.

How to test regex for logs

As good software it come with good utility called “fail2ban-regex”
which help you to test your regex against your log as well your custom string.

fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$'

OR

fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$'

which provides you result if your strings match.

Rotate log

As your standard installation from distribution will generate log on the system.
So it is necessary to rotate it to avoid any file limit.

| /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
    weekly
    rotate 7
    missingok
    compress
    size 4M
    postrotate
      /etc/init.d/fail2ban reload
    endscript
}

If you do not have init script you can use following code to reload fail2ban as postrotate command.

/usr/bin/fail2ban-client reload 1>/dev/null || true

NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE

Final Words

you can check blocked ip using following command

iptables -L

Hope fully this will help you

fail2ban.txt · Last modified: 2020/08/10 02:35 (external edit)