User Tools

Site Tools


fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
fail2ban [2009/06/18 07:08]
k2patel created
fail2ban [2020/08/10 02:35] (current)
Line 5: Line 5:
 You can do more than expected with this utility.\\ You can do more than expected with this utility.\\
 Here i am using SSH and FTP setting to protect my bandwidth from script kidies. Here i am using SSH and FTP setting to protect my bandwidth from script kidies.
- 
 ==== Installation ==== ==== Installation ====
 +Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.\\
 +Following is the installation procedure for the centOS.
 +
 +<code bash>
 +yum install fail2ban
 +</​code>​
 +
 +Enable fail2ban during system startup. and start it
 +
 +<code bash>
 +chkconfig --levels 235 fail2ban on
 +/​etc/​init.d/​fail2ban start
 +</​code>​
 +==== Configuration ====
 +Configuration file is named as jail.conf located at "/​etc/​fail2ban"​ \\
 +Following Options you might consider to setup before proceed.
 +
 +<code text>
 +ignoreip - you might be consider setting your known ip in this section
 +bantime - time specified here is in seconds
 +maxretry - ban after any ip cross this limit.
 +filter - specify filter file e.g. /​etc/​fail2ban/​filter.d
 +action - specify action file e.g. /​etc/​fail2ban/​action.d
 +logpath - where fail2ban look for log
 +</​code>​
 +
 +Sample Config file
 +
 +<code bash | /​etc/​fail2ban/​jail.conf >
 +# Fail2Ban configuration file
 +#
 +# Author: Cyril Jaquier
 +#
 +# $Revision: 617 $
 +#
 +
 +# The DEFAULT allows a global definition of the options. They can be override
 +# in each jail afterwards.
 +
 +[DEFAULT]
 +
 +# "​ignoreip"​ can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 +# ban a host which matches an address in this list. Several addresses can be
 +# defined using space separator.
 +ignoreip = 127.0.0.1 192.168.1.4
 +
 +# "​bantime"​ is the number of seconds that a host is banned.
 +bantime ​ = 600
 +
 +# A host is banned if it has generated "​maxretry"​ during the last "​findtime"​
 +# seconds.
 +findtime ​ = 600
 +
 +# "​maxretry"​ is the number of failures before a host get banned.
 +maxretry = 3
 +
 +# "​backend"​ specifies the backend used to get files modification. Available
 +# options are "​gamin",​ "​polling"​ and "​auto"​. This option can be overridden in
 +# each jail too (use "​gamin"​ for a jail and "​polling"​ for another).
 +#
 +# gamin: ​  ​requires Gamin (a file alteration monitor) to be installed. If Gamin
 +#          is not installed, Fail2ban will use polling.
 +# polling: uses a polling algorithm which does not require external libraries.
 +# auto:    will choose Gamin if available and polling otherwise.
 +backend = auto
 +
 +
 +[ssh-iptables]
 +
 +enabled ​ = true
 +filter ​  = sshd
 +action ​  = iptables-new[name=SSH,​ port=ssh, protocol=tcp]
 +           ​sendmail-whois[name=SSH,​ dest=receiver@lithiumfox.com,​ sender=notify@lithiumfox.com]
 +logpath ​ = /​var/​log/​secure
 +maxretry = 5
 +
 +
 +[kernel-iptables]
 +
 +enabled ​ = true
 +filter ​  = kernel
 +action ​  = iptables-allports[name=kernel,​ protocol=all]
 +           ​sendmail-whois[name=KERNEL,​ dest=k2patel@sify.com,​ sender=notify@test.com]
 +logpath ​ = /​var/​log/​messages
 +maxretry = 2
 +
 +
 +
 +[proftpd-iptables]
 +
 +enabled ​ = true
 +filter ​  = proftpd
 +action ​  = iptables[name=ProFTPD,​ port=ftp, protocol=tcp]
 +           ​sendmail-whois[name=ProFTPD,​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​secure
 +maxretry = 6
 +
 +
 +[sasl-iptables]
 +
 +enabled ​ = true
 +filter ​  = sasl
 +backend ​ = polling
 +action ​  = iptables[name=sasl,​ port=smtp, protocol=tcp]
 +           ​sendmail-whois[name=sasl,​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​maillog
 +
 +
 +[apache-tcpwrapper]
 +
 +enabled ​ = true
 +filter ​  = apache-auth
 +action ​  = hostsdeny
 +logpath ​ = /​var/​log/​httpd/​*error_log
 +maxretry = 6
 +
 +
 +[postfix-tcpwrapper]
 +
 +enabled ​ = true
 +filter ​  = postfix
 +action ​  = hostsdeny
 +           ​sendmail[name=Postfix,​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​maillog
 +bantime ​ = 300
 +
 +
 +[courierpop3]
 +
 +enabled ​ = true
 +port     = pop3
 +filter ​  = courierlogin
 +action ​  = iptables[name=%(__name__)s,​ port=%(port)s]
 +logpath ​ = /​var/​log/​maillog
 +maxretry = 5
 +
 +
 +[courierimap]
 +
 +enabled ​ = true
 +port     = imap2
 +filter ​  = courierlogin
 +action ​  = iptables[name=%(__name__)s,​ port=%(port)s]
 +logpath ​ = /​var/​log/​maillog
 +maxretry = 5
 +
 +
 +[ssh-tcpwrapper]
 +
 +enabled ​    = false
 +filter ​     = sshd
 +action ​     = hostsdeny
 +              sendmail-whois[name=SSH,​ dest=you@mail.com]
 +ignoreregex = for myuser from
 +logpath ​    = /​var/​log/​secure
 +
 +
 +[vsftpd-notification]
 +
 +enabled ​ = false
 +filter ​  = vsftpd
 +action ​  = sendmail-whois[name=VSFTPD,​ dest=you@mail.com]
 +logpath ​ = /​var/​log/​secure
 +maxretry = 5
 +bantime ​ = 1800
 +
 +
 +[vsftpd-iptables]
 +
 +enabled ​ = false
 +filter ​  = vsftpd
 +action ​  = iptables[name=VSFTPD,​ port=ftp, protocol=tcp]
 +           ​sendmail-whois[name=VSFTPD,​ dest=you@mail.com]
 +logpath ​ = /​var/​log/​secure
 +maxretry = 5
 +bantime ​ = 1800
 +
 +
 +[apache-badbots]
 +
 +enabled ​ = false
 +filter ​  = apache-badbots
 +action ​  = iptables-multiport[name=BadBots,​ port="​http,​https"​]
 +           ​sendmail-buffered[name=BadBots,​ lines=5, dest=you@mail.com]
 +logpath ​ = /​var/​log/​httpd/​*access_log
 +bantime ​ = 172800
 +maxretry = 1
 +
 +
 +[apache-shorewall]
 +
 +enabled ​ = false
 +filter ​  = apache-noscript
 +action ​  = shorewall
 +           ​sendmail[name=Apache,​ dest=you@mail.com]
 +logpath ​ = /​var/​log/​httpd/​error_log
 +
 +
 +[ssh-ipfw]
 +
 +enabled ​ = false
 +filter ​  = sshd
 +action ​  = ipfw[localhost=192.168.0.1]
 +           ​sendmail-whois[name="​SSH,​IPFW",​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​secure
 +ignoreip = 168.192.0.1
 +
 +
 +[named-refused-udp]
 +
 +enabled ​ = false
 +filter ​  = named-refused
 +action ​  = iptables-multiport[name=Named,​ port="​domain,​953",​ protocol=udp]
 +           ​sendmail-whois[name=Named,​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​secure
 +ignoreip = 168.192.0.1
 +
 +
 +[named-refused-tcp]
 +
 +enabled ​ = false
 +filter ​  = named-refused
 +action ​  = iptables-multiport[name=Named,​ port="​domain,​953",​ protocol=tcp]
 +           ​sendmail-whois[name=Named,​ dest=receiver@lithiumfox.com]
 +logpath ​ = /​var/​log/​secure
 +ignoreip = 168.192.0.1
 +</​code>​
 +
 +NOTE : In above configuration i am using custom config file for "​Treason uncloaked!"​\\
 +which require you to create new file as below.
 +
 +<code bash | /​etc/​fail2ban/​filter.d/​kernel.conf>​
 +# Fail2Ban configuration file
 +#
 +# Author: K2patel
 +#
 +# $Revision: 1 $
 +#
 +
 +[Definition]
 +
 +# Option: ​ failregex
 +# Notes.: ​ regex to match the password failures messages in the logfile. The
 +#          host must be matched by a group named "​host"​. The tag "<​HOST>"​ can
 +#          be used for standard IP/hostname matching and is only an alias for
 +#          (?:::​f{4,​6}:​)?​(?​P<​host>​\S+)
 +# Values: ​ TEXT
 +#
 +failregex = Treason uncloaked! Peer <​HOST>:​.*$
 +
 +# Option: ​ ignoreregex
 +# Notes.: ​ regex to ignore. If this regex matches, the line is ignored.
 +# Values: ​ TEXT
 +#
 +ignoreregex = 
 +</​code>​
 +
 +
 +Restart service now
 +
 +<code bash>
 +/​etc/​init.d/​fail2ban restart
 +</​code>​
 +
 +==== Issue && Fixes ====
 +== My server did not get started ==
 +First thing try to run your server from command line.\\
 +usually following command will do it.\\
 +<code bash>
 +/​usr/​bin/​fail2ban-client -c /​etc/​fail2ban start
 +</​code>​
 +this will print the errors on your screen.\\
 +resolve error or google it if dont know how to.
 +
 +== Sock file is not get removed during start ==
 +check if this file exists.
 +<code bash>
 +/​var/​run/​fail2ban/​fail2ban.sock
 +</​code>​
 +Your can fix that issue by adding -x in your startup script.\\
 +This issue appear if your fail2ban is get started using "​fail2ban-client"​.\\
 +e.g.
 +<code bash>
 +/​usr/​bin/​fail2ban-client -x -c /​etc/​fail2ban start
 +</​code>​
 +test test test.
 +
 +
 +==== How to test regex for logs ====
 +
 +As good software it come with good utility called "​fail2ban-regex"​\\
 +which help you to test your regex against your log as well your custom string.
 +
 +<code bash>
 +fail2ban-regex /​var/​log/​messages '​reverse mapping checking getaddrinfo [-/\w]+ .* \[<​HOST>​\] failed .*$'
 +</​code>​
 +OR
 +
 +<code bash>
 +fail2ban-regex /​var/​log/​messages '​Treason uncloaked! Peer <​HOST>:​.*$'​
 +</​code>​
 +
 +which provides you result if your strings match.\\
 +
 +==== Rotate log ====
 +
 +As your standard installation from distribution will generate log on the system.\\
 +So it is necessary to rotate it to avoid any file limit.\\
 +
 +<code bash | /​etc/​logrotate.d/​fail2ban>​
 +/​var/​log/​fail2ban.log {
 +    weekly
 +    rotate 7
 +    missingok
 +    compress
 +    size 4M
 +    postrotate
 +      /​etc/​init.d/​fail2ban reload
 +    endscript
 +}
 +</​code>​
 +
 +If you do not have init script you can use following code to reload fail2ban as postrotate command.
 +
 +<code bash>
 +/​usr/​bin/​fail2ban-client reload 1>/​dev/​null || true
 +</​code>​
 +
 +NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
 +
 +==== Final Words ====
 +
 +you can check blocked ip using following command
 +
 +<code bash>
 +iptables -L
 +</​code>​
  
 +Hope fully this will help you
fail2ban.1245308883.txt.gz ยท Last modified: 2020/08/10 02:28 (external edit)