This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
fail2ban [2009/06/18 07:56] k2patel |
fail2ban [2012/06/07 10:59] k2patel [Rotate log] |
||
---|---|---|---|
Line 31: | Line 31: | ||
logpath - where fail2ban look for log | logpath - where fail2ban look for log | ||
</code> | </code> | ||
+ | |||
+ | Sample Config file | ||
+ | |||
+ | <code bash | /etc/fail2ban/jail.conf > | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: Cyril Jaquier | ||
+ | # | ||
+ | # $Revision: 617 $ | ||
+ | # | ||
+ | |||
+ | # The DEFAULT allows a global definition of the options. They can be override | ||
+ | # in each jail afterwards. | ||
+ | |||
+ | [DEFAULT] | ||
+ | |||
+ | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not | ||
+ | # ban a host which matches an address in this list. Several addresses can be | ||
+ | # defined using space separator. | ||
+ | ignoreip = 127.0.0.1 192.168.1.4 | ||
+ | |||
+ | # "bantime" is the number of seconds that a host is banned. | ||
+ | bantime = 600 | ||
+ | |||
+ | # A host is banned if it has generated "maxretry" during the last "findtime" | ||
+ | # seconds. | ||
+ | findtime = 600 | ||
+ | |||
+ | # "maxretry" is the number of failures before a host get banned. | ||
+ | maxretry = 3 | ||
+ | |||
+ | # "backend" specifies the backend used to get files modification. Available | ||
+ | # options are "gamin", "polling" and "auto". This option can be overridden in | ||
+ | # each jail too (use "gamin" for a jail and "polling" for another). | ||
+ | # | ||
+ | # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin | ||
+ | # is not installed, Fail2ban will use polling. | ||
+ | # polling: uses a polling algorithm which does not require external libraries. | ||
+ | # auto: will choose Gamin if available and polling otherwise. | ||
+ | backend = auto | ||
+ | |||
+ | |||
+ | [ssh-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = sshd | ||
+ | action = iptables-new[name=SSH, port=ssh, protocol=tcp] | ||
+ | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
+ | logpath = /var/log/secure | ||
+ | maxretry = 5 | ||
+ | |||
+ | |||
+ | [kernel-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = kernel | ||
+ | action = iptables-allports[name=kernel, protocol=all] | ||
+ | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
+ | logpath = /var/log/messages | ||
+ | maxretry = 2 | ||
+ | |||
+ | |||
+ | |||
+ | [proftpd-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = proftpd | ||
+ | action = iptables[name=ProFTPD, port=ftp, protocol=tcp] | ||
+ | sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/secure | ||
+ | maxretry = 6 | ||
+ | |||
+ | |||
+ | [sasl-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = sasl | ||
+ | backend = polling | ||
+ | action = iptables[name=sasl, port=smtp, protocol=tcp] | ||
+ | sendmail-whois[name=sasl, dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/maillog | ||
+ | |||
+ | |||
+ | [apache-tcpwrapper] | ||
+ | |||
+ | enabled = true | ||
+ | filter = apache-auth | ||
+ | action = hostsdeny | ||
+ | logpath = /var/log/httpd/*error_log | ||
+ | maxretry = 6 | ||
+ | |||
+ | |||
+ | [postfix-tcpwrapper] | ||
+ | |||
+ | enabled = true | ||
+ | filter = postfix | ||
+ | action = hostsdeny | ||
+ | sendmail[name=Postfix, dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/maillog | ||
+ | bantime = 300 | ||
+ | |||
+ | |||
+ | [courierpop3] | ||
+ | |||
+ | enabled = true | ||
+ | port = pop3 | ||
+ | filter = courierlogin | ||
+ | action = iptables[name=%(__name__)s, port=%(port)s] | ||
+ | logpath = /var/log/maillog | ||
+ | maxretry = 5 | ||
+ | |||
+ | |||
+ | [courierimap] | ||
+ | |||
+ | enabled = true | ||
+ | port = imap2 | ||
+ | filter = courierlogin | ||
+ | action = iptables[name=%(__name__)s, port=%(port)s] | ||
+ | logpath = /var/log/maillog | ||
+ | maxretry = 5 | ||
+ | |||
+ | |||
+ | [ssh-tcpwrapper] | ||
+ | |||
+ | enabled = false | ||
+ | filter = sshd | ||
+ | action = hostsdeny | ||
+ | sendmail-whois[name=SSH, dest=you@mail.com] | ||
+ | ignoreregex = for myuser from | ||
+ | logpath = /var/log/secure | ||
+ | |||
+ | |||
+ | [vsftpd-notification] | ||
+ | |||
+ | enabled = false | ||
+ | filter = vsftpd | ||
+ | action = sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
+ | logpath = /var/log/secure | ||
+ | maxretry = 5 | ||
+ | bantime = 1800 | ||
+ | |||
+ | |||
+ | [vsftpd-iptables] | ||
+ | |||
+ | enabled = false | ||
+ | filter = vsftpd | ||
+ | action = iptables[name=VSFTPD, port=ftp, protocol=tcp] | ||
+ | sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
+ | logpath = /var/log/secure | ||
+ | maxretry = 5 | ||
+ | bantime = 1800 | ||
+ | |||
+ | |||
+ | [apache-badbots] | ||
+ | |||
+ | enabled = false | ||
+ | filter = apache-badbots | ||
+ | action = iptables-multiport[name=BadBots, port="http,https"] | ||
+ | sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] | ||
+ | logpath = /var/log/httpd/*access_log | ||
+ | bantime = 172800 | ||
+ | maxretry = 1 | ||
+ | |||
+ | |||
+ | [apache-shorewall] | ||
+ | |||
+ | enabled = false | ||
+ | filter = apache-noscript | ||
+ | action = shorewall | ||
+ | sendmail[name=Apache, dest=you@mail.com] | ||
+ | logpath = /var/log/httpd/error_log | ||
+ | |||
+ | |||
+ | [ssh-ipfw] | ||
+ | |||
+ | enabled = false | ||
+ | filter = sshd | ||
+ | action = ipfw[localhost=192.168.0.1] | ||
+ | sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/secure | ||
+ | ignoreip = 168.192.0.1 | ||
+ | |||
+ | |||
+ | [named-refused-udp] | ||
+ | |||
+ | enabled = false | ||
+ | filter = named-refused | ||
+ | action = iptables-multiport[name=Named, port="domain,953", protocol=udp] | ||
+ | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/secure | ||
+ | ignoreip = 168.192.0.1 | ||
+ | |||
+ | |||
+ | [named-refused-tcp] | ||
+ | |||
+ | enabled = false | ||
+ | filter = named-refused | ||
+ | action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] | ||
+ | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
+ | logpath = /var/log/secure | ||
+ | ignoreip = 168.192.0.1 | ||
+ | </code> | ||
+ | |||
+ | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
+ | which require you to create new file as below. | ||
+ | |||
+ | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: K2patel | ||
+ | # | ||
+ | # $Revision: 1 $ | ||
+ | # | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>\S+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | </code> | ||
+ | |||
+ | |||
+ | Restart service now | ||
+ | |||
+ | <code bash> | ||
+ | /etc/init.d/fail2ban restart | ||
+ | </code> | ||
+ | |||
+ | ==== Issue && Fixes ==== | ||
+ | == My server did not get started == | ||
+ | First thing try to run your server from command line.\\ | ||
+ | usually following command will do it.\\ | ||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client -c /etc/fail2ban start | ||
+ | </code> | ||
+ | this will print the errors on your screen.\\ | ||
+ | resolve error or google it if dont know how to. | ||
+ | |||
+ | == Sock file is not get removed during start == | ||
+ | check if this file exists. | ||
+ | <code bash> | ||
+ | /var/run/fail2ban/fail2ban.sock | ||
+ | </code> | ||
+ | Your can fix that issue by adding -x in your startup script.\\ | ||
+ | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
+ | e.g. | ||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
+ | </code> | ||
+ | test test test. | ||
+ | |||
+ | |||
+ | ==== How to test regex for logs ==== | ||
+ | |||
+ | As good software it come with good utility called "fail2ban-regex"\\ | ||
+ | which help you to test your regex against your log as well your custom string. | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$' | ||
+ | </code> | ||
+ | OR | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$' | ||
+ | </code> | ||
+ | |||
+ | which provides you result if your strings match.\\ | ||
+ | |||
+ | ==== Rotate log ==== | ||
+ | |||
+ | As your standard installation from distribution will generate log on the system.\\ | ||
+ | So it is necessary to rotate it to avoid any file limit.\\ | ||
+ | |||
+ | <code bash | /etc/logrotate.d/fail2ban> | ||
+ | /var/log/fail2ban.log { | ||
+ | weekly | ||
+ | rotate 7 | ||
+ | missingok | ||
+ | compress | ||
+ | size 4M | ||
+ | postrotate | ||
+ | /etc/init.d/fail2ban reload | ||
+ | endscript | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
+ | |||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
+ | </code> | ||
+ | |||
+ | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
+ | |||
+ | ==== Final Words ==== | ||
+ | |||
+ | you can check blocked ip using following command | ||
+ | |||
+ | <code bash> | ||
+ | iptables -L | ||
+ | </code> | ||
+ | |||
+ | Hope fully this will help you |