Debian DokuWiki

User Tools

Site Tools

Trace: find_files_which_is_taking_most_space_on_server fail2ban
fail2ban

This is an old revision of the document!

Table of Contents

Fail2Ban

Nice - Lightweight - Protection to linux box

You can do more than expected with this utility.
Here i am using SSH and FTP setting to protect my bandwidth from script kidies.

Installation

Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it.
Following is the installation procedure for the centOS. 

yum install fail2ban

Enable fail2ban during system startup. and start it 

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

Configuration

Configuration file is named as jail.conf located at “/etc/fail2ban”
Following Options you might consider to setup before proceed. 

ignoreip - you might be consider setting your known ip in this section
bantime - time specified here is in seconds
maxretry - ban after any ip cross this limit.
filter - specify filter file e.g. /etc/fail2ban/filter.d
action - specify action file e.g. /etc/fail2ban/action.d
logpath - where fail2ban look for log

Sample Config file

| /etc/fail2ban/jail.conf 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
 
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.1.4
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
 
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
 
[ssh-iptables]
 
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com]
logpath  = /var/log/secure
maxretry = 5
 
 
[proftpd-iptables]
 
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
maxretry = 6
 
 
[sasl-iptables]
 
enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=receiver@lithiumfox.com]
logpath  = /var/log/maillog
 
 
[apache-tcpwrapper]
 
enabled  = true
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/*error_log
maxretry = 6
 
 
[postfix-tcpwrapper]
 
enabled  = true
filter   = postfix
action   = hostsdeny
           sendmail[name=Postfix, dest=receiver@lithiumfox.com]
logpath  = /var/log/maillog
bantime  = 300
 
 
[courierpop3]
 
enabled  = true
port     = pop3
filter   = courierlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
logpath  = /var/log/maillog
maxretry = 5
 
 
[courierimap]
 
enabled  = true
port     = imap2
filter   = courierlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
logpath  = /var/log/maillog
maxretry = 5
 
 
[ssh-tcpwrapper]
 
enabled     = false
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath     = /var/log/secure
 
 
[vsftpd-notification]
 
enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
 
 
[vsftpd-iptables]
 
enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
 
 
[apache-badbots]
 
enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath  = /var/log/httpd/*access_log
bantime  = 172800
maxretry = 1
 
 
[apache-shorewall]
 
enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Apache, dest=you@mail.com]
logpath  = /var/log/httpd/error_log
 
 
[ssh-ipfw]
 
enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1
 
 
[named-refused-udp]
 
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1
 
 
[named-refused-tcp]
 
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=receiver@lithiumfox.com]
logpath  = /var/log/secure
ignoreip = 168.192.0.1

Restart service now 

/etc/init.d/fail2ban restart

Final Words

you can check blocked ip using following command 

iptables -L

Hope fully this will help you

fail2ban.1245314072.txt.gz · Last modified: 2020/08/10 02:30 (external edit)