This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
fail2ban [2009/06/18 08:34] k2patel |
fail2ban [2010/09/13 16:00] k2patel |
||
---|---|---|---|
Line 77: | Line 77: | ||
enabled = true | enabled = true | ||
filter = sshd | filter = sshd | ||
- | action = iptables[name=SSH, port=ssh, protocol=tcp] | + | action = iptables-new[name=SSH, port=ssh, protocol=tcp] |
sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
logpath = /var/log/secure | logpath = /var/log/secure | ||
maxretry = 5 | maxretry = 5 | ||
+ | |||
+ | |||
+ | [kernel-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = kernel | ||
+ | action = iptables-allports[name=kernel, protocol=all] | ||
+ | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
+ | logpath = /var/log/messages | ||
+ | maxretry = 2 | ||
+ | |||
Line 222: | Line 233: | ||
ignoreip = 168.192.0.1 | ignoreip = 168.192.0.1 | ||
</code> | </code> | ||
+ | |||
+ | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
+ | which require you to create new file as below. | ||
+ | |||
+ | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: K2patel | ||
+ | # | ||
+ | # $Revision: 1 $ | ||
+ | # | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>\S+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | </code> | ||
+ | |||
Restart service now | Restart service now | ||
Line 228: | Line 269: | ||
/etc/init.d/fail2ban restart | /etc/init.d/fail2ban restart | ||
</code> | </code> | ||
+ | |||
+ | ==== Issue && Fixes ==== | ||
+ | == My server did not get started == | ||
+ | First thing try to run your server from command line.\\ | ||
+ | usually following command will do it.\\ | ||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client -c /etc/fail2ban start | ||
+ | </code> | ||
+ | this will print the errors on your screen.\\ | ||
+ | resolve error or google it if dont know how to. | ||
+ | |||
+ | == Sock file is not get removed during start == | ||
+ | check if this file exists. | ||
+ | <code bash> | ||
+ | /var/run/fail2ban/fail2ban.sock | ||
+ | </code> | ||
+ | Your can fix that issue by adding -x in your startup script.\\ | ||
+ | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
+ | e.g. | ||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
+ | </code> | ||
+ | test test test. | ||
+ | |||
+ | |||
+ | ==== How to test regex for logs ==== | ||
+ | |||
+ | As good software it come with good utility called "fail2ban-regex"\\ | ||
+ | which help you to test your regex against your log as well your custom string. | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$' | ||
+ | </code> | ||
+ | OR | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$' | ||
+ | </code> | ||
+ | |||
+ | which provides you result if your strings match.\\ | ||
+ | |||
+ | ==== Rotate log ==== | ||
+ | |||
+ | As your standard installation from distribution will generate log on the system.\\ | ||
+ | So it is necessary to rotate it to avoid any file limit.\\ | ||
+ | |||
+ | <code bash | /etc/logrotate.d/fail2ban> | ||
+ | /var/log/fail2ban.log { | ||
+ | weekly | ||
+ | rotate 7 | ||
+ | missingok | ||
+ | compress | ||
+ | size=+4096k | ||
+ | postrotate | ||
+ | /etc/init.d/fail2ban reload | ||
+ | endscript | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
+ | |||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
+ | </code> | ||
+ | |||
+ | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
==== Final Words ==== | ==== Final Words ==== |