fail2ban
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
fail2ban [2009/10/11 07:04] k2patel |
fail2ban [2020/08/10 02:35] (current) |
||
|---|---|---|---|
| Line 77: | Line 77: | ||
| enabled = true | enabled = true | ||
| filter = sshd | filter = sshd | ||
| - | action = iptables[name=SSH, port=ssh, protocol=tcp] | + | action = iptables-new[name=SSH, port=ssh, protocol=tcp] |
| sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | sendmail-whois[name=SSH, dest=receiver@lithiumfox.com, sender=notify@lithiumfox.com] | ||
| logpath = /var/log/secure | logpath = /var/log/secure | ||
| maxretry = 5 | maxretry = 5 | ||
| + | |||
| + | |||
| + | [kernel-iptables] | ||
| + | |||
| + | enabled = true | ||
| + | filter = kernel | ||
| + | action = iptables-allports[name=kernel, protocol=all] | ||
| + | sendmail-whois[name=KERNEL, dest=k2patel@sify.com, sender=notify@test.com] | ||
| + | logpath = /var/log/messages | ||
| + | maxretry = 2 | ||
| + | |||
| Line 222: | Line 233: | ||
| ignoreip = 168.192.0.1 | ignoreip = 168.192.0.1 | ||
| </code> | </code> | ||
| + | |||
| + | NOTE : In above configuration i am using custom config file for "Treason uncloaked!"\\ | ||
| + | which require you to create new file as below. | ||
| + | |||
| + | <code bash | /etc/fail2ban/filter.d/kernel.conf> | ||
| + | # Fail2Ban configuration file | ||
| + | # | ||
| + | # Author: K2patel | ||
| + | # | ||
| + | # $Revision: 1 $ | ||
| + | # | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | # Option: failregex | ||
| + | # Notes.: regex to match the password failures messages in the logfile. The | ||
| + | # host must be matched by a group named "host". The tag "<HOST>" can | ||
| + | # be used for standard IP/hostname matching and is only an alias for | ||
| + | # (?:::f{4,6}:)?(?P<host>\S+) | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | failregex = Treason uncloaked! Peer <HOST>:.*$ | ||
| + | |||
| + | # Option: ignoreregex | ||
| + | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | ignoreregex = | ||
| + | </code> | ||
| + | |||
| Restart service now | Restart service now | ||
| Line 269: | Line 310: | ||
| which provides you result if your strings match.\\ | which provides you result if your strings match.\\ | ||
| + | ==== Rotate log ==== | ||
| + | |||
| + | As your standard installation from distribution will generate log on the system.\\ | ||
| + | So it is necessary to rotate it to avoid any file limit.\\ | ||
| + | |||
| + | <code bash | /etc/logrotate.d/fail2ban> | ||
| + | /var/log/fail2ban.log { | ||
| + | weekly | ||
| + | rotate 7 | ||
| + | missingok | ||
| + | compress | ||
| + | size 4M | ||
| + | postrotate | ||
| + | /etc/init.d/fail2ban reload | ||
| + | endscript | ||
| + | } | ||
| + | </code> | ||
| + | |||
| + | If you do not have init script you can use following code to reload fail2ban as postrotate command. | ||
| + | |||
| + | <code bash> | ||
| + | /usr/bin/fail2ban-client reload 1>/dev/null || true | ||
| + | </code> | ||
| + | |||
| + | NOTE : Path for fail2ban-client need to changed if you are using other than OpenSUSE | ||
| ==== Final Words ==== | ==== Final Words ==== | ||
fail2ban.1255244686.txt.gz ยท Last modified: 2020/08/10 02:30 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
