This shows you the differences between two versions of the page.
fail2ban [2009/08/05 15:02] k2patel |
fail2ban [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Fail2Ban ====== | ||
- | Nice - Lightweight - Protection to linux box | ||
- | |||
- | You can do more than expected with this utility.\\ | ||
- | Here i am using SSH and FTP setting to protect my bandwidth from script kidies. | ||
- | ==== Installation ==== | ||
- | Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.\\ | ||
- | Following is the installation procedure for the centOS. | ||
- | |||
- | <code bash> | ||
- | yum install fail2ban | ||
- | </code> | ||
- | |||
- | Enable fail2ban during system startup. and start it | ||
- | |||
- | <code bash> | ||
- | chkconfig --levels 235 fail2ban on | ||
- | /etc/init.d/fail2ban start | ||
- | </code> | ||
- | ==== Configuration ==== | ||
- | Configuration file is named as jail.conf located at "/etc/fail2ban" \\ | ||
- | Following Options you might consider to setup before proceed. | ||
- | |||
- | <code text> | ||
- | ignoreip - you might be consider setting your known ip in this section | ||
- | bantime - time specified here is in seconds | ||
- | maxretry - ban after any ip cross this limit. | ||
- | filter - specify filter file e.g. /etc/fail2ban/filter.d | ||
- | action - specify action file e.g. /etc/fail2ban/action.d | ||
- | logpath - where fail2ban look for log | ||
- | </code> | ||
- | |||
- | Sample Config file | ||
- | |||
- | <code bash | /etc/fail2ban/jail.conf > | ||
- | # Fail2Ban configuration file | ||
- | # | ||
- | # Author: Cyril Jaquier | ||
- | # | ||
- | # $Revision: 617 $ | ||
- | # | ||
- | |||
- | # The DEFAULT allows a global definition of the options. They can be override | ||
- | # in each jail afterwards. | ||
- | |||
- | [DEFAULT] | ||
- | |||
- | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not | ||
- | # ban a host which matches an address in this list. Several addresses can be | ||
- | # defined using space separator. | ||
- | ignoreip = 127.0.0.1 192.168.1.4 | ||
- | |||
- | # "bantime" is the number of seconds that a host is banned. | ||
- | bantime = 600 | ||
- | |||
- | # A host is banned if it has generated "maxretry" during the last "findtime" | ||
- | # seconds. | ||
- | findtime = 600 | ||
- | |||
- | # "maxretry" is the number of failures before a host get banned. | ||
- | maxretry = 3 | ||
- | |||
- | # "backend" specifies the backend used to get files modification. Available | ||
- | # options are "gamin", "polling" and "auto". This option can be overridden in | ||
- | # each jail too (use "gamin" for a jail and "polling" for another). | ||
- | # | ||
- | # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin | ||
- | # is not installed, Fail2ban will use polling. | ||
- | # polling: uses a polling algorithm which does not require external libraries. | ||
- | # auto: will choose Gamin if available and polling otherwise. | ||
- | backend = auto | ||
- | |||
- | |||
- | [ssh-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = sshd | ||
- | action = iptables[name=SSH, port=ssh, protocol=tcp] | ||
- | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [proftpd-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = proftpd | ||
- | action = iptables[name=ProFTPD, port=ftp, protocol=tcp] | ||
- | sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 6 | ||
- | |||
- | |||
- | [sasl-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = sasl | ||
- | backend = polling | ||
- | action = iptables[name=sasl, port=smtp, protocol=tcp] | ||
- | sendmail-whois[name=sasl, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/maillog | ||
- | |||
- | |||
- | [apache-tcpwrapper] | ||
- | |||
- | enabled = true | ||
- | filter = apache-auth | ||
- | action = hostsdeny | ||
- | logpath = /var/log/httpd/*error_log | ||
- | maxretry = 6 | ||
- | |||
- | |||
- | [postfix-tcpwrapper] | ||
- | |||
- | enabled = true | ||
- | filter = postfix | ||
- | action = hostsdeny | ||
- | sendmail[name=Postfix, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/maillog | ||
- | bantime = 300 | ||
- | |||
- | |||
- | [courierpop3] | ||
- | |||
- | enabled = true | ||
- | port = pop3 | ||
- | filter = courierlogin | ||
- | action = iptables[name=%(__name__)s, port=%(port)s] | ||
- | logpath = /var/log/maillog | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [courierimap] | ||
- | |||
- | enabled = true | ||
- | port = imap2 | ||
- | filter = courierlogin | ||
- | action = iptables[name=%(__name__)s, port=%(port)s] | ||
- | logpath = /var/log/maillog | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [ssh-tcpwrapper] | ||
- | |||
- | enabled = false | ||
- | filter = sshd | ||
- | action = hostsdeny | ||
- | sendmail-whois[name=SSH, dest=you@mail.com] | ||
- | ignoreregex = for myuser from | ||
- | logpath = /var/log/secure | ||
- | |||
- | |||
- | [vsftpd-notification] | ||
- | |||
- | enabled = false | ||
- | filter = vsftpd | ||
- | action = sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | bantime = 1800 | ||
- | |||
- | |||
- | [vsftpd-iptables] | ||
- | |||
- | enabled = false | ||
- | filter = vsftpd | ||
- | action = iptables[name=VSFTPD, port=ftp, protocol=tcp] | ||
- | sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | bantime = 1800 | ||
- | |||
- | |||
- | [apache-badbots] | ||
- | |||
- | enabled = false | ||
- | filter = apache-badbots | ||
- | action = iptables-multiport[name=BadBots, port="http,https"] | ||
- | sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] | ||
- | logpath = /var/log/httpd/*access_log | ||
- | bantime = 172800 | ||
- | maxretry = 1 | ||
- | |||
- | |||
- | [apache-shorewall] | ||
- | |||
- | enabled = false | ||
- | filter = apache-noscript | ||
- | action = shorewall | ||
- | sendmail[name=Apache, dest=you@mail.com] | ||
- | logpath = /var/log/httpd/error_log | ||
- | |||
- | |||
- | [ssh-ipfw] | ||
- | |||
- | enabled = false | ||
- | filter = sshd | ||
- | action = ipfw[localhost=192.168.0.1] | ||
- | sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | |||
- | |||
- | [named-refused-udp] | ||
- | |||
- | enabled = false | ||
- | filter = named-refused | ||
- | action = iptables-multiport[name=Named, port="domain,953", protocol=udp] | ||
- | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | |||
- | |||
- | [named-refused-tcp] | ||
- | |||
- | enabled = false | ||
- | filter = named-refused | ||
- | action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] | ||
- | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | </code> | ||
- | |||
- | Restart service now | ||
- | |||
- | <code bash> | ||
- | /etc/init.d/fail2ban restart | ||
- | </code> | ||
- | |||
- | ==== Issue && Fixes ==== | ||
- | == My server did not get started == | ||
- | First thing try to run your server from command line.\\ | ||
- | usually following command will do it.\\ | ||
- | <code bash> | ||
- | /usr/bin/fail2ban-client -c /etc/fail2ban start | ||
- | </code> | ||
- | this will print the errors on your screen.\\ | ||
- | resolve error or google it if dont know how to. | ||
- | |||
- | == Sock file is not get removed during start == | ||
- | Your can fix that issue by adding -x in your startup script.\\ | ||
- | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
- | e.g. | ||
- | <code bash> | ||
- | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
- | </code> | ||
- | |||
- | |||
- | ==== Final Words ==== | ||
- | |||
- | you can check blocked ip using following command | ||
- | |||
- | <code bash> | ||
- | iptables -L | ||
- | </code> | ||
- | |||
- | Hope fully this will help you |