User Tools

Site Tools


fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
fail2ban [2009/06/18 08:34]
k2patel
fail2ban [2020/08/10 02:35] (current)
Line 77: Line 77:
 enabled ​ = true enabled ​ = true
 filter ​  = sshd filter ​  = sshd
-action ​  = iptables[name=SSH,​ port=ssh, protocol=tcp]+action ​  = iptables-new[name=SSH, port=ssh, protocol=tcp]
            ​sendmail-whois[name=SSH,​ dest=receiver@lithiumfox.com,​ sender=notify@lithiumfox.com]            ​sendmail-whois[name=SSH,​ dest=receiver@lithiumfox.com,​ sender=notify@lithiumfox.com]
 logpath ​ = /​var/​log/​secure logpath ​ = /​var/​log/​secure
 maxretry = 5 maxretry = 5
 +
 +
 +[kernel-iptables]
 +
 +enabled ​ = true
 +filter ​  = kernel
 +action ​  = iptables-allports[name=kernel,​ protocol=all]
 +           ​sendmail-whois[name=KERNEL,​ dest=k2patel@sify.com,​ sender=notify@test.com]
 +logpath ​ = /​var/​log/​messages
 +maxretry = 2
 +
  
  
Line 222: Line 233:
 ignoreip = 168.192.0.1 ignoreip = 168.192.0.1
 </​code>​ </​code>​
 +
 +NOTE : In above configuration i am using custom config file for "​Treason uncloaked!"​\\
 +which require you to create new file as below.
 +
 +<code bash | /​etc/​fail2ban/​filter.d/​kernel.conf>​
 +# Fail2Ban configuration file
 +#
 +# Author: K2patel
 +#
 +# $Revision: 1 $
 +#
 +
 +[Definition]
 +
 +# Option: ​ failregex
 +# Notes.: ​ regex to match the password failures messages in the logfile. The
 +#          host must be matched by a group named "​host"​. The tag "<​HOST>"​ can
 +#          be used for standard IP/hostname matching and is only an alias for
 +#          (?:::​f{4,​6}:​)?​(?​P<​host>​\S+)
 +# Values: ​ TEXT
 +#
 +failregex = Treason uncloaked! Peer <​HOST>:​.*$
 +
 +# Option: ​ ignoreregex
 +# Notes.: ​ regex to ignore. If this regex matches, the line is ignored.
 +# Values: ​ TEXT
 +#
 +ignoreregex = 
 +</​code>​
 +
  
 Restart service now Restart service now
Line 228: Line 269:
 /​etc/​init.d/​fail2ban restart /​etc/​init.d/​fail2ban restart
 </​code>​ </​code>​
 +
 +==== Issue && Fixes ====
 +== My server did not get started ==
 +First thing try to run your server from command line.\\
 +usually following command will do it.\\
 +<code bash>
 +/​usr/​bin/​fail2ban-client -c /​etc/​fail2ban start
 +</​code>​
 +this will print the errors on your screen.\\
 +resolve error or google it if dont know how to.
 +
 +== Sock file is not get removed during start ==
 +check if this file exists.
 +<code bash>
 +/​var/​run/​fail2ban/​fail2ban.sock
 +</​code>​
 +Your can fix that issue by adding -x in your startup script.\\
 +This issue appear if your fail2ban is get started using "​fail2ban-client"​.\\
 +e.g.
 +<code bash>
 +/​usr/​bin/​fail2ban-client -x -c /​etc/​fail2ban start
 +</​code>​
 +test test test.
 +
 +
 +==== How to test regex for logs ====
 +
 +As good software it come with good utility called "​fail2ban-regex"​\\
 +which help you to test your regex against your log as well your custom string.
 +
 +<code bash>
 +fail2ban-regex /​var/​log/​messages '​reverse mapping checking getaddrinfo [-/\w]+ .* \[<​HOST>​\] failed .*$'
 +</​code>​
 +OR
 +
 +<code bash>
 +fail2ban-regex /​var/​log/​messages '​Treason uncloaked! Peer <​HOST>:​.*$'​
 +</​code>​
 +
 +which provides you result if your strings match.\\
 +
 +==== Rotate log ====
 +
 +As your standard installation from distribution will generate log on the system.\\
 +So it is necessary to rotate it to avoid any file limit.\\
 +
 +<code bash | /​etc/​logrotate.d/​fail2ban>​
 +/​var/​log/​fail2ban.log {
 +    weekly
 +    rotate 7
 +    missingok
 +    compress
 +    size 4M
 +    postrotate
 +      /​etc/​init.d/​fail2ban reload
 +    endscript
 +}
 +</​code>​
 +
 +If you do not have init script you can use following code to reload fail2ban as postrotate command.
 +
 +<code bash>
 +/​usr/​bin/​fail2ban-client reload 1>/​dev/​null || true
 +</​code>​
 +
 +NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE
  
 ==== Final Words ==== ==== Final Words ====
fail2ban.1245314072.txt.gz ยท Last modified: 2020/08/10 02:30 (external edit)