fail2ban
Differences
This shows you the differences between two versions of the page.
|
fail2ban [2010/09/13 16:00] k2patel |
fail2ban [2020/08/10 02:35] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Fail2Ban ====== | ||
| - | Nice - Lightweight - Protection to linux box | ||
| - | |||
| - | You can do more than expected with this utility.\\ | ||
| - | Here i am using SSH and FTP setting to protect my bandwidth from script kidies. | ||
| - | ==== Installation ==== | ||
| - | Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.\\ | ||
| - | Following is the installation procedure for the centOS. | ||
| - | |||
| - | <code bash> | ||
| - | yum install fail2ban | ||
| - | </code> | ||
| - | |||
| - | Enable fail2ban during system startup. and start it | ||
| - | |||
| - | <code bash> | ||
| - | chkconfig --levels 235 fail2ban on | ||
| - | /etc/init.d/fail2ban start | ||
| - | </code> | ||
| - | ==== Configuration ==== | ||
| - | Configuration file is named as jail.conf located at "/etc/fail2ban" \\ | ||
| - | Following Options you might consider to setup before proceed. | ||
| - | |||
| - | <code text> | ||
| - | ignoreip - you might be consider setting your known ip in this section | ||
| - | bantime - time specified here is in seconds | ||
| - | maxretry - ban after any ip cross this limit. | ||
| - | filter - specify filter file e.g. /etc/fail2ban/filter.d | ||
| - | action - specify action file e.g. /etc/fail2ban/action.d | ||
| - | logpath - where fail2ban look for log | ||
| - | </code> | ||
| - | |||
| - | Sample Config file | ||
| - | |||
| - | <code bash | /etc/fail2ban/jail.conf > | ||
| - | # Fail2Ban configuration file | ||
| - | # | ||
| - | # Author: Cyril Jaquier | ||
| - | # | ||
| - | # $Revision: 617 $ | ||
| - | # | ||
| - | |||
| - | # The DEFAULT allows a global definition of the options. They can be override | ||
| - | # in each jail afterwards. | ||
| - | |||
| - | [DEFAULT] | ||
| - | |||
| - | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not | ||
| - | # ban a host which matches an address in this list. Several addresses can be | ||
| - | # defined using space separator. | ||
| - | ignoreip = 127.0.0.1 192.168.1.4 | ||
| - | |||
| - | # "bantime" is the number of seconds that a host is banned. | ||
| - | bantime = 600 | ||
| - | |||
| - | # A host is banned if it has generated "maxretry" during the last "findtime" | ||
| - | # seconds. | ||
| - | findtime = 600 | ||
| - | |||
| - | # "maxretry" is the number of failures before a host get banned. | ||
| - | maxretry = 3 | ||
| - | |||
| - | # "backend" specifies the backend used to get files modification. Available | ||
| - | # options are "gamin", "polling" and "auto". This option can be overridden in | ||
| - | # each jail too (use "gamin" for a jail and "polling" for another). | ||
| - | # | ||
| - | # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin | ||
| - | # is not installed, Fail2ban will use polling. | ||
| - | # polling: uses a polling algorithm which does not require external libraries. | ||
| - | # auto: will choose Gamin if available and polling otherwise. | ||
| - | backend = auto | ||
| - | |||
| - | |||
| - | [ssh-iptables] | ||
| - | |||
| - | enabled = true | ||
| - | filter = sshd | ||
| - | action = iptables-new[name=SSH, port=ssh, protocol=tcp] | ||
| - | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
| - | logpath = /var/log/secure | ||
| - | maxretry = 5 | ||
| - | |||
| - | |||
| - | [kernel-iptables] | ||
| - | |||
| - | enabled = true | ||
| - | filter = kernel | ||
| - | action = iptables-allports[name=kernel, protocol=all] | ||
| - | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
| - | logpath = /var/log/messages | ||
| - | maxretry = 2 | ||
| - | |||
| - | |||
| - | |||
| - | [proftpd-iptables] | ||
| - | |||
| - | enabled = true | ||
| - | filter = proftpd | ||
| - | action = iptables[name=ProFTPD, port=ftp, protocol=tcp] | ||
| - | sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/secure | ||
| - | maxretry = 6 | ||
| - | |||
| - | |||
| - | [sasl-iptables] | ||
| - | |||
| - | enabled = true | ||
| - | filter = sasl | ||
| - | backend = polling | ||
| - | action = iptables[name=sasl, port=smtp, protocol=tcp] | ||
| - | sendmail-whois[name=sasl, dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/maillog | ||
| - | |||
| - | |||
| - | [apache-tcpwrapper] | ||
| - | |||
| - | enabled = true | ||
| - | filter = apache-auth | ||
| - | action = hostsdeny | ||
| - | logpath = /var/log/httpd/*error_log | ||
| - | maxretry = 6 | ||
| - | |||
| - | |||
| - | [postfix-tcpwrapper] | ||
| - | |||
| - | enabled = true | ||
| - | filter = postfix | ||
| - | action = hostsdeny | ||
| - | sendmail[name=Postfix, dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/maillog | ||
| - | bantime = 300 | ||
| - | |||
| - | |||
| - | [courierpop3] | ||
| - | |||
| - | enabled = true | ||
| - | port = pop3 | ||
| - | filter = courierlogin | ||
| - | action = iptables[name=%(__name__)s, port=%(port)s] | ||
| - | logpath = /var/log/maillog | ||
| - | maxretry = 5 | ||
| - | |||
| - | |||
| - | [courierimap] | ||
| - | |||
| - | enabled = true | ||
| - | port = imap2 | ||
| - | filter = courierlogin | ||
| - | action = iptables[name=%(__name__)s, port=%(port)s] | ||
| - | logpath = /var/log/maillog | ||
| - | maxretry = 5 | ||
| - | |||
| - | |||
| - | [ssh-tcpwrapper] | ||
| - | |||
| - | enabled = false | ||
| - | filter = sshd | ||
| - | action = hostsdeny | ||
| - | sendmail-whois[name=SSH, dest=you@mail.com] | ||
| - | ignoreregex = for myuser from | ||
| - | logpath = /var/log/secure | ||
| - | |||
| - | |||
| - | [vsftpd-notification] | ||
| - | |||
| - | enabled = false | ||
| - | filter = vsftpd | ||
| - | action = sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
| - | logpath = /var/log/secure | ||
| - | maxretry = 5 | ||
| - | bantime = 1800 | ||
| - | |||
| - | |||
| - | [vsftpd-iptables] | ||
| - | |||
| - | enabled = false | ||
| - | filter = vsftpd | ||
| - | action = iptables[name=VSFTPD, port=ftp, protocol=tcp] | ||
| - | sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
| - | logpath = /var/log/secure | ||
| - | maxretry = 5 | ||
| - | bantime = 1800 | ||
| - | |||
| - | |||
| - | [apache-badbots] | ||
| - | |||
| - | enabled = false | ||
| - | filter = apache-badbots | ||
| - | action = iptables-multiport[name=BadBots, port="http,https"] | ||
| - | sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] | ||
| - | logpath = /var/log/httpd/*access_log | ||
| - | bantime = 172800 | ||
| - | maxretry = 1 | ||
| - | |||
| - | |||
| - | [apache-shorewall] | ||
| - | |||
| - | enabled = false | ||
| - | filter = apache-noscript | ||
| - | action = shorewall | ||
| - | sendmail[name=Apache, dest=you@mail.com] | ||
| - | logpath = /var/log/httpd/error_log | ||
| - | |||
| - | |||
| - | [ssh-ipfw] | ||
| - | |||
| - | enabled = false | ||
| - | filter = sshd | ||
| - | action = ipfw[localhost=192.168.0.1] | ||
| - | sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/secure | ||
| - | ignoreip = 168.192.0.1 | ||
| - | |||
| - | |||
| - | [named-refused-udp] | ||
| - | |||
| - | enabled = false | ||
| - | filter = named-refused | ||
| - | action = iptables-multiport[name=Named, port="domain,953", protocol=udp] | ||
| - | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/secure | ||
| - | ignoreip = 168.192.0.1 | ||
| - | |||
| - | |||
| - | [named-refused-tcp] | ||
| - | |||
| - | enabled = false | ||
| - | filter = named-refused | ||
| - | action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] | ||
| - | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
| - | logpath = /var/log/secure | ||
| - | ignoreip = 168.192.0.1 | ||
| - | </code> | ||
| - | |||
| - | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
| - | which require you to create new file as below. | ||
| - | |||
| - | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
| - | # Fail2Ban configuration file | ||
| - | # | ||
| - | # Author: K2patel | ||
| - | # | ||
| - | # $Revision: 1 $ | ||
| - | # | ||
| - | |||
| - | [Definition] | ||
| - | |||
| - | # Option: failregex | ||
| - | # Notes.: regex to match the password failures messages in the logfile. The | ||
| - | # host must be matched by a group named "host". The tag "<HOST>" can | ||
| - | # be used for standard IP/hostname matching and is only an alias for | ||
| - | # (?:::f{4,6}:)?(?P<host>\S+) | ||
| - | # Values: TEXT | ||
| - | # | ||
| - | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
| - | |||
| - | # Option: ignoreregex | ||
| - | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| - | # Values: TEXT | ||
| - | # | ||
| - | ignoreregex = | ||
| - | </code> | ||
| - | |||
| - | |||
| - | Restart service now | ||
| - | |||
| - | <code bash> | ||
| - | /etc/init.d/fail2ban restart | ||
| - | </code> | ||
| - | |||
| - | ==== Issue && Fixes ==== | ||
| - | == My server did not get started == | ||
| - | First thing try to run your server from command line.\\ | ||
| - | usually following command will do it.\\ | ||
| - | <code bash> | ||
| - | /usr/bin/fail2ban-client -c /etc/fail2ban start | ||
| - | </code> | ||
| - | this will print the errors on your screen.\\ | ||
| - | resolve error or google it if dont know how to. | ||
| - | |||
| - | == Sock file is not get removed during start == | ||
| - | check if this file exists. | ||
| - | <code bash> | ||
| - | /var/run/fail2ban/fail2ban.sock | ||
| - | </code> | ||
| - | Your can fix that issue by adding -x in your startup script.\\ | ||
| - | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
| - | e.g. | ||
| - | <code bash> | ||
| - | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
| - | </code> | ||
| - | test test test. | ||
| - | |||
| - | |||
| - | ==== How to test regex for logs ==== | ||
| - | |||
| - | As good software it come with good utility called "fail2ban-regex"\\ | ||
| - | which help you to test your regex against your log as well your custom string. | ||
| - | |||
| - | <code bash> | ||
| - | fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$' | ||
| - | </code> | ||
| - | OR | ||
| - | |||
| - | <code bash> | ||
| - | fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$' | ||
| - | </code> | ||
| - | |||
| - | which provides you result if your strings match.\\ | ||
| - | |||
| - | ==== Rotate log ==== | ||
| - | |||
| - | As your standard installation from distribution will generate log on the system.\\ | ||
| - | So it is necessary to rotate it to avoid any file limit.\\ | ||
| - | |||
| - | <code bash | /etc/logrotate.d/fail2ban> | ||
| - | /var/log/fail2ban.log { | ||
| - | weekly | ||
| - | rotate 7 | ||
| - | missingok | ||
| - | compress | ||
| - | size=+4096k | ||
| - | postrotate | ||
| - | /etc/init.d/fail2ban reload | ||
| - | endscript | ||
| - | } | ||
| - | </code> | ||
| - | |||
| - | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
| - | |||
| - | <code bash> | ||
| - | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
| - | </code> | ||
| - | |||
| - | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
| - | |||
| - | ==== Final Words ==== | ||
| - | |||
| - | you can check blocked ip using following command | ||
| - | |||
| - | <code bash> | ||
| - | iptables -L | ||
| - | </code> | ||
| - | |||
| - | Hope fully this will help you | ||
fail2ban.txt ยท Last modified: 2020/08/10 02:35 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
