This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
fail2ban [2009/08/05 15:02] k2patel |
fail2ban [2012/06/07 10:59] k2patel [Rotate log] |
||
---|---|---|---|
Line 77: | Line 77: | ||
enabled = true | enabled = true | ||
filter = sshd | filter = sshd | ||
- | action = iptables[name=SSH, port=ssh, protocol=tcp] | + | action = iptables-new[name=SSH, port=ssh, protocol=tcp] |
sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
logpath = /var/log/secure | logpath = /var/log/secure | ||
maxretry = 5 | maxretry = 5 | ||
+ | |||
+ | |||
+ | [kernel-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = kernel | ||
+ | action = iptables-allports[name=kernel, protocol=all] | ||
+ | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
+ | logpath = /var/log/messages | ||
+ | maxretry = 2 | ||
+ | |||
Line 222: | Line 233: | ||
ignoreip = 168.192.0.1 | ignoreip = 168.192.0.1 | ||
</code> | </code> | ||
+ | |||
+ | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
+ | which require you to create new file as below. | ||
+ | |||
+ | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: K2patel | ||
+ | # | ||
+ | # $Revision: 1 $ | ||
+ | # | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>\S+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | </code> | ||
+ | |||
Restart service now | Restart service now | ||
Line 240: | Line 281: | ||
== Sock file is not get removed during start == | == Sock file is not get removed during start == | ||
+ | check if this file exists. | ||
+ | <code bash> | ||
+ | /var/run/fail2ban/fail2ban.sock | ||
+ | </code> | ||
Your can fix that issue by adding -x in your startup script.\\ | Your can fix that issue by adding -x in your startup script.\\ | ||
This issue appear if your fail2ban is get started using "fail2ban-client".\\ | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
Line 245: | Line 290: | ||
<code bash> | <code bash> | ||
/usr/bin/fail2ban-client -x -c /etc/fail2ban start | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
+ | </code> | ||
+ | test test test. | ||
+ | |||
+ | |||
+ | ==== How to test regex for logs ==== | ||
+ | |||
+ | As good software it come with good utility called "fail2ban-regex"\\ | ||
+ | which help you to test your regex against your log as well your custom string. | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$' | ||
+ | </code> | ||
+ | OR | ||
+ | |||
+ | <code bash> | ||
+ | fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$' | ||
+ | </code> | ||
+ | |||
+ | which provides you result if your strings match.\\ | ||
+ | |||
+ | ==== Rotate log ==== | ||
+ | |||
+ | As your standard installation from distribution will generate log on the system.\\ | ||
+ | So it is necessary to rotate it to avoid any file limit.\\ | ||
+ | |||
+ | <code bash | /etc/logrotate.d/fail2ban> | ||
+ | /var/log/fail2ban.log { | ||
+ | weekly | ||
+ | rotate 7 | ||
+ | missingok | ||
+ | compress | ||
+ | size 4M | ||
+ | postrotate | ||
+ | /etc/init.d/fail2ban reload | ||
+ | endscript | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
+ | |||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
</code> | </code> | ||
+ | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
==== Final Words ==== | ==== Final Words ==== |