This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
fail2ban [2009/10/11 07:04] k2patel |
fail2ban [2020/08/10 02:35] (current) |
||
---|---|---|---|
Line 77: | Line 77: | ||
enabled = true | enabled = true | ||
filter = sshd | filter = sshd | ||
- | action = iptables[name=SSH, port=ssh, protocol=tcp] | + | action = iptables-new[name=SSH, port=ssh, protocol=tcp] |
sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
logpath = /var/log/secure | logpath = /var/log/secure | ||
maxretry = 5 | maxretry = 5 | ||
+ | |||
+ | |||
+ | [kernel-iptables] | ||
+ | |||
+ | enabled = true | ||
+ | filter = kernel | ||
+ | action = iptables-allports[name=kernel, protocol=all] | ||
+ | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
+ | logpath = /var/log/messages | ||
+ | maxretry = 2 | ||
+ | |||
Line 222: | Line 233: | ||
ignoreip = 168.192.0.1 | ignoreip = 168.192.0.1 | ||
</code> | </code> | ||
+ | |||
+ | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
+ | which require you to create new file as below. | ||
+ | |||
+ | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: K2patel | ||
+ | # | ||
+ | # $Revision: 1 $ | ||
+ | # | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>\S+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | </code> | ||
+ | |||
Restart service now | Restart service now | ||
Line 269: | Line 310: | ||
which provides you result if your strings match.\\ | which provides you result if your strings match.\\ | ||
+ | ==== Rotate log ==== | ||
+ | |||
+ | As your standard installation from distribution will generate log on the system.\\ | ||
+ | So it is necessary to rotate it to avoid any file limit.\\ | ||
+ | |||
+ | <code bash | /etc/logrotate.d/fail2ban> | ||
+ | /var/log/fail2ban.log { | ||
+ | weekly | ||
+ | rotate 7 | ||
+ | missingok | ||
+ | compress | ||
+ | size 4M | ||
+ | postrotate | ||
+ | /etc/init.d/fail2ban reload | ||
+ | endscript | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
+ | |||
+ | <code bash> | ||
+ | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
+ | </code> | ||
+ | |||
+ | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
==== Final Words ==== | ==== Final Words ==== |