This shows you the differences between two versions of the page.
fail2ban [2012/06/07 10:59] k2patel [Rotate log] |
fail2ban [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Fail2Ban ====== | ||
- | Nice - Lightweight - Protection to linux box | ||
- | |||
- | You can do more than expected with this utility.\\ | ||
- | Here i am using SSH and FTP setting to protect my bandwidth from script kidies. | ||
- | ==== Installation ==== | ||
- | Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.\\ | ||
- | Following is the installation procedure for the centOS. | ||
- | |||
- | <code bash> | ||
- | yum install fail2ban | ||
- | </code> | ||
- | |||
- | Enable fail2ban during system startup. and start it | ||
- | |||
- | <code bash> | ||
- | chkconfig --levels 235 fail2ban on | ||
- | /etc/init.d/fail2ban start | ||
- | </code> | ||
- | ==== Configuration ==== | ||
- | Configuration file is named as jail.conf located at "/etc/fail2ban" \\ | ||
- | Following Options you might consider to setup before proceed. | ||
- | |||
- | <code text> | ||
- | ignoreip - you might be consider setting your known ip in this section | ||
- | bantime - time specified here is in seconds | ||
- | maxretry - ban after any ip cross this limit. | ||
- | filter - specify filter file e.g. /etc/fail2ban/filter.d | ||
- | action - specify action file e.g. /etc/fail2ban/action.d | ||
- | logpath - where fail2ban look for log | ||
- | </code> | ||
- | |||
- | Sample Config file | ||
- | |||
- | <code bash | /etc/fail2ban/jail.conf > | ||
- | # Fail2Ban configuration file | ||
- | # | ||
- | # Author: Cyril Jaquier | ||
- | # | ||
- | # $Revision: 617 $ | ||
- | # | ||
- | |||
- | # The DEFAULT allows a global definition of the options. They can be override | ||
- | # in each jail afterwards. | ||
- | |||
- | [DEFAULT] | ||
- | |||
- | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not | ||
- | # ban a host which matches an address in this list. Several addresses can be | ||
- | # defined using space separator. | ||
- | ignoreip = 127.0.0.1 192.168.1.4 | ||
- | |||
- | # "bantime" is the number of seconds that a host is banned. | ||
- | bantime = 600 | ||
- | |||
- | # A host is banned if it has generated "maxretry" during the last "findtime" | ||
- | # seconds. | ||
- | findtime = 600 | ||
- | |||
- | # "maxretry" is the number of failures before a host get banned. | ||
- | maxretry = 3 | ||
- | |||
- | # "backend" specifies the backend used to get files modification. Available | ||
- | # options are "gamin", "polling" and "auto". This option can be overridden in | ||
- | # each jail too (use "gamin" for a jail and "polling" for another). | ||
- | # | ||
- | # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin | ||
- | # is not installed, Fail2ban will use polling. | ||
- | # polling: uses a polling algorithm which does not require external libraries. | ||
- | # auto: will choose Gamin if available and polling otherwise. | ||
- | backend = auto | ||
- | |||
- | |||
- | [ssh-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = sshd | ||
- | action = iptables-new[name=SSH, port=ssh, protocol=tcp] | ||
- | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [kernel-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = kernel | ||
- | action = iptables-allports[name=kernel, protocol=all] | ||
- | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
- | logpath = /var/log/messages | ||
- | maxretry = 2 | ||
- | |||
- | |||
- | |||
- | [proftpd-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = proftpd | ||
- | action = iptables[name=ProFTPD, port=ftp, protocol=tcp] | ||
- | sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 6 | ||
- | |||
- | |||
- | [sasl-iptables] | ||
- | |||
- | enabled = true | ||
- | filter = sasl | ||
- | backend = polling | ||
- | action = iptables[name=sasl, port=smtp, protocol=tcp] | ||
- | sendmail-whois[name=sasl, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/maillog | ||
- | |||
- | |||
- | [apache-tcpwrapper] | ||
- | |||
- | enabled = true | ||
- | filter = apache-auth | ||
- | action = hostsdeny | ||
- | logpath = /var/log/httpd/*error_log | ||
- | maxretry = 6 | ||
- | |||
- | |||
- | [postfix-tcpwrapper] | ||
- | |||
- | enabled = true | ||
- | filter = postfix | ||
- | action = hostsdeny | ||
- | sendmail[name=Postfix, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/maillog | ||
- | bantime = 300 | ||
- | |||
- | |||
- | [courierpop3] | ||
- | |||
- | enabled = true | ||
- | port = pop3 | ||
- | filter = courierlogin | ||
- | action = iptables[name=%(__name__)s, port=%(port)s] | ||
- | logpath = /var/log/maillog | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [courierimap] | ||
- | |||
- | enabled = true | ||
- | port = imap2 | ||
- | filter = courierlogin | ||
- | action = iptables[name=%(__name__)s, port=%(port)s] | ||
- | logpath = /var/log/maillog | ||
- | maxretry = 5 | ||
- | |||
- | |||
- | [ssh-tcpwrapper] | ||
- | |||
- | enabled = false | ||
- | filter = sshd | ||
- | action = hostsdeny | ||
- | sendmail-whois[name=SSH, dest=you@mail.com] | ||
- | ignoreregex = for myuser from | ||
- | logpath = /var/log/secure | ||
- | |||
- | |||
- | [vsftpd-notification] | ||
- | |||
- | enabled = false | ||
- | filter = vsftpd | ||
- | action = sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | bantime = 1800 | ||
- | |||
- | |||
- | [vsftpd-iptables] | ||
- | |||
- | enabled = false | ||
- | filter = vsftpd | ||
- | action = iptables[name=VSFTPD, port=ftp, protocol=tcp] | ||
- | sendmail-whois[name=VSFTPD, dest=you@mail.com] | ||
- | logpath = /var/log/secure | ||
- | maxretry = 5 | ||
- | bantime = 1800 | ||
- | |||
- | |||
- | [apache-badbots] | ||
- | |||
- | enabled = false | ||
- | filter = apache-badbots | ||
- | action = iptables-multiport[name=BadBots, port="http,https"] | ||
- | sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] | ||
- | logpath = /var/log/httpd/*access_log | ||
- | bantime = 172800 | ||
- | maxretry = 1 | ||
- | |||
- | |||
- | [apache-shorewall] | ||
- | |||
- | enabled = false | ||
- | filter = apache-noscript | ||
- | action = shorewall | ||
- | sendmail[name=Apache, dest=you@mail.com] | ||
- | logpath = /var/log/httpd/error_log | ||
- | |||
- | |||
- | [ssh-ipfw] | ||
- | |||
- | enabled = false | ||
- | filter = sshd | ||
- | action = ipfw[localhost=192.168.0.1] | ||
- | sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | |||
- | |||
- | [named-refused-udp] | ||
- | |||
- | enabled = false | ||
- | filter = named-refused | ||
- | action = iptables-multiport[name=Named, port="domain,953", protocol=udp] | ||
- | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | |||
- | |||
- | [named-refused-tcp] | ||
- | |||
- | enabled = false | ||
- | filter = named-refused | ||
- | action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] | ||
- | sendmail-whois[name=Named, dest=receiver@lithiumfox.com] | ||
- | logpath = /var/log/secure | ||
- | ignoreip = 168.192.0.1 | ||
- | </code> | ||
- | |||
- | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
- | which require you to create new file as below. | ||
- | |||
- | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
- | # Fail2Ban configuration file | ||
- | # | ||
- | # Author: K2patel | ||
- | # | ||
- | # $Revision: 1 $ | ||
- | # | ||
- | |||
- | [Definition] | ||
- | |||
- | # Option: failregex | ||
- | # Notes.: regex to match the password failures messages in the logfile. The | ||
- | # host must be matched by a group named "host". The tag "<HOST>" can | ||
- | # be used for standard IP/hostname matching and is only an alias for | ||
- | # (?:::f{4,6}:)?(?P<host>\S+) | ||
- | # Values: TEXT | ||
- | # | ||
- | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
- | |||
- | # Option: ignoreregex | ||
- | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
- | # Values: TEXT | ||
- | # | ||
- | ignoreregex = | ||
- | </code> | ||
- | |||
- | |||
- | Restart service now | ||
- | |||
- | <code bash> | ||
- | /etc/init.d/fail2ban restart | ||
- | </code> | ||
- | |||
- | ==== Issue && Fixes ==== | ||
- | == My server did not get started == | ||
- | First thing try to run your server from command line.\\ | ||
- | usually following command will do it.\\ | ||
- | <code bash> | ||
- | /usr/bin/fail2ban-client -c /etc/fail2ban start | ||
- | </code> | ||
- | this will print the errors on your screen.\\ | ||
- | resolve error or google it if dont know how to. | ||
- | |||
- | == Sock file is not get removed during start == | ||
- | check if this file exists. | ||
- | <code bash> | ||
- | /var/run/fail2ban/fail2ban.sock | ||
- | </code> | ||
- | Your can fix that issue by adding -x in your startup script.\\ | ||
- | This issue appear if your fail2ban is get started using "fail2ban-client".\\ | ||
- | e.g. | ||
- | <code bash> | ||
- | /usr/bin/fail2ban-client -x -c /etc/fail2ban start | ||
- | </code> | ||
- | test test test. | ||
- | |||
- | |||
- | ==== How to test regex for logs ==== | ||
- | |||
- | As good software it come with good utility called "fail2ban-regex"\\ | ||
- | which help you to test your regex against your log as well your custom string. | ||
- | |||
- | <code bash> | ||
- | fail2ban-regex /var/log/messages 'reverse mapping checking getaddrinfo [-/\w]+ .* \[<HOST>\] failed .*$' | ||
- | </code> | ||
- | OR | ||
- | |||
- | <code bash> | ||
- | fail2ban-regex /var/log/messages 'Treason uncloaked! Peer <HOST>:.*$' | ||
- | </code> | ||
- | |||
- | which provides you result if your strings match.\\ | ||
- | |||
- | ==== Rotate log ==== | ||
- | |||
- | As your standard installation from distribution will generate log on the system.\\ | ||
- | So it is necessary to rotate it to avoid any file limit.\\ | ||
- | |||
- | <code bash | /etc/logrotate.d/fail2ban> | ||
- | /var/log/fail2ban.log { | ||
- | weekly | ||
- | rotate 7 | ||
- | missingok | ||
- | compress | ||
- | size 4M | ||
- | postrotate | ||
- | /etc/init.d/fail2ban reload | ||
- | endscript | ||
- | } | ||
- | </code> | ||
- | |||
- | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
- | |||
- | <code bash> | ||
- | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
- | </code> | ||
- | |||
- | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
- | |||
- | ==== Final Words ==== | ||
- | |||
- | you can check blocked ip using following command | ||
- | |||
- | <code bash> | ||
- | iptables -L | ||
- | </code> | ||
- | |||
- | Hope fully this will help you |