Fli
11-17-2013, 11:32 PM
About Fail2Ban
Fail2Ban is useful tool which works with Linux log files and IPTables firewall to temporarily block IPs that doing suspicious actions like too many login attempts, too frequent connections, suspicious HTTP requests etc.
By default Fail2Ban after installation don't blocks anything and is stopped. But we can configure it further.
Official website (downloads, manuals, etc): http://www.fail2ban.org
The super summarized install:
1)
A) yum install fail2ban;
B) sudo apt-get install fail2ban;sudo systemctl enable fail2ban
2) echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
3)
A) service fail2ban restart;tail /var/log/fail2ban.log
B) /etc/init.d/fail2ban restart;tail /var/log/fail2ban.log
4) your fail2ban is running and protecting SSH from brute-force login attempts + it is starting at boot. Congrats.
The summarized installation:
1) install by command:
A) yum install fail2ban
B) sudo apt-get install fail2ban
2) Create file with SSH protection, maximum 5 login tries then ban for 24 hours:
echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
3) Now restart fail2ban to reflect changes made:
A) service fail2ban restart
B) /etc/init.d/fail2ban restart
4) finished, you have fail2ban running and also launching on server boot. Great
Fail2Ban installation detailed
Redhat/centos : yum install fail2ban - In my case "rpmforge" repository is required. But "yum install epel-release -y" should be better. In this tutorial (http://internetlifeforum.com/desktop-x-windows/1082-how-setup-fluxbox-vnc-server-remote-desktop-linux-centos-5-x/) can be found on how to install it.
Debian/Ubuntu sudo apt-get install fail2ban
After installation, fail2ban service is probably stopped. To start it, you can do: service fail2ban start OR /etc/init.d/fail2ban start
F2B is probably set to start at server boot, if not, you can set it so: update-rc.d fail2ban defaults
Configuration
Basic configuration file: /etc/fail2ban/jail.conf
Its recommended to create a new file with .local extension which will instantly have priority above old jail.conf (rules in common = .local file has priority. Non existing rules in .local =.conf is used).
So lets copy default jail.conf to jail.local: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And open our fail2ban config file: vi /etc/fail2ban/jail.local , it contain so called Jails (short rules?): there you can see 2 jails:
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/sshd.log
maxretry = 5
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
These Jails has few variables: enabled/disabled, filter, action, sendmail-whois, logpath, maxretry .
"Filter" is the file in ./filter.d/ which contains precreated footprints. Based on these footprints, the server logs are checked and if some IP produces too much of unwanted messages/footprints during "findtime = 600" seconds, it is banned for "bantime = 600" seconds.
In jail.local there are 4 main variables:
findtime = 600
bantime = 600
maxretry = 3
..jails...
To enable some jail, just change "Enabled" variable value from "false" to "true". Dont forget to check that Jail"s value of "logpath" is really existing on your server, else fail2ban wont see any messages comming (non existing file).
Fail2Ban filter files from /filter.d/* can be tested against log files like this:
fail2ban-regex /var/log/logfilename /etc/fail2ban/filter.d/filterfileyouwanttouseintotest.conf
Discover your computer IP (www.myip.ms (http://www.myip.ms)) and paste it into "ignoreip" variable in jail.local:
ignoreip = 127.0.0.1/8 youriphere
To start editing in Vi editor, hit "a" key. To stop editing "Ctrl+C", to save changes ":wq", to discard changes "q!".
After changes saved, you can restart Fail2ban: service fail2ban restart OR /etc/init.d/fail2ban restart
===============
Fail2Ban Filters
These are the Fail2Ban ready made filters in /etc/fail2ban/filter.d:
apache-auth.confapache-badbots.conf
apache-nohome.conf
apache-noscript.conf
apache-overflows.conf
asterisk.conf
common.conf
courierlogin.conf
couriersmtp.conf
cyrus-imap.conf
dovecot.conf
dropbear.conf
exim.conf
gssftpd.conf
lighttpd-auth.conf
lighttpd-fastcgi.conf
named-refused.conf
pam-generic.conf
php-url-fopen.conf
postfix.conf
proftpd.conf
pure-ftpd.conf
qmail.conf
recidive.conf
sasl.conf
sieve.conf
sshd-ddos.conf
sshd.conf
vsftpd.conf
webmin-auth.conf
wuftpd.conf
xinetd-fail.conf
These are the mentioned footprints of Example sshd.conf file:
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
============
Fail2Ban log file:
tail /var/log/fail2ban.log or
grep fail2 /var/log/{messages,syslog}
This is interesting fail2ban.local file!
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
[apache]
enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5
[apache-noscript]
enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5
[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5
[proftpd]
enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5
[wuftpd]
enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 5
[postfix]
enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
[courierpop3]
enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
[courierimap]
enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
[sasl]
enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
maxretry = 5
above file is NOT good for centos it has another log file names (/apache*/ -> /httpd/ ; auth.log -> secure ; ...)
Fail2Ban is useful tool which works with Linux log files and IPTables firewall to temporarily block IPs that doing suspicious actions like too many login attempts, too frequent connections, suspicious HTTP requests etc.
By default Fail2Ban after installation don't blocks anything and is stopped. But we can configure it further.
Official website (downloads, manuals, etc): http://www.fail2ban.org
The super summarized install:
1)
A) yum install fail2ban;
B) sudo apt-get install fail2ban;sudo systemctl enable fail2ban
2) echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
3)
A) service fail2ban restart;tail /var/log/fail2ban.log
B) /etc/init.d/fail2ban restart;tail /var/log/fail2ban.log
4) your fail2ban is running and protecting SSH from brute-force login attempts + it is starting at boot. Congrats.
The summarized installation:
1) install by command:
A) yum install fail2ban
B) sudo apt-get install fail2ban
2) Create file with SSH protection, maximum 5 login tries then ban for 24 hours:
echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
3) Now restart fail2ban to reflect changes made:
A) service fail2ban restart
B) /etc/init.d/fail2ban restart
4) finished, you have fail2ban running and also launching on server boot. Great
Fail2Ban installation detailed
Redhat/centos : yum install fail2ban - In my case "rpmforge" repository is required. But "yum install epel-release -y" should be better. In this tutorial (http://internetlifeforum.com/desktop-x-windows/1082-how-setup-fluxbox-vnc-server-remote-desktop-linux-centos-5-x/) can be found on how to install it.
Debian/Ubuntu sudo apt-get install fail2ban
After installation, fail2ban service is probably stopped. To start it, you can do: service fail2ban start OR /etc/init.d/fail2ban start
F2B is probably set to start at server boot, if not, you can set it so: update-rc.d fail2ban defaults
Configuration
Basic configuration file: /etc/fail2ban/jail.conf
Its recommended to create a new file with .local extension which will instantly have priority above old jail.conf (rules in common = .local file has priority. Non existing rules in .local =.conf is used).
So lets copy default jail.conf to jail.local: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And open our fail2ban config file: vi /etc/fail2ban/jail.local , it contain so called Jails (short rules?): there you can see 2 jails:
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/sshd.log
maxretry = 5
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
These Jails has few variables: enabled/disabled, filter, action, sendmail-whois, logpath, maxretry .
"Filter" is the file in ./filter.d/ which contains precreated footprints. Based on these footprints, the server logs are checked and if some IP produces too much of unwanted messages/footprints during "findtime = 600" seconds, it is banned for "bantime = 600" seconds.
In jail.local there are 4 main variables:
findtime = 600
bantime = 600
maxretry = 3
..jails...
To enable some jail, just change "Enabled" variable value from "false" to "true". Dont forget to check that Jail"s value of "logpath" is really existing on your server, else fail2ban wont see any messages comming (non existing file).
Fail2Ban filter files from /filter.d/* can be tested against log files like this:
fail2ban-regex /var/log/logfilename /etc/fail2ban/filter.d/filterfileyouwanttouseintotest.conf
Discover your computer IP (www.myip.ms (http://www.myip.ms)) and paste it into "ignoreip" variable in jail.local:
ignoreip = 127.0.0.1/8 youriphere
To start editing in Vi editor, hit "a" key. To stop editing "Ctrl+C", to save changes ":wq", to discard changes "q!".
After changes saved, you can restart Fail2ban: service fail2ban restart OR /etc/init.d/fail2ban restart
===============
Fail2Ban Filters
These are the Fail2Ban ready made filters in /etc/fail2ban/filter.d:
apache-auth.confapache-badbots.conf
apache-nohome.conf
apache-noscript.conf
apache-overflows.conf
asterisk.conf
common.conf
courierlogin.conf
couriersmtp.conf
cyrus-imap.conf
dovecot.conf
dropbear.conf
exim.conf
gssftpd.conf
lighttpd-auth.conf
lighttpd-fastcgi.conf
named-refused.conf
pam-generic.conf
php-url-fopen.conf
postfix.conf
proftpd.conf
pure-ftpd.conf
qmail.conf
recidive.conf
sasl.conf
sieve.conf
sshd-ddos.conf
sshd.conf
vsftpd.conf
webmin-auth.conf
wuftpd.conf
xinetd-fail.conf
These are the mentioned footprints of Example sshd.conf file:
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
============
Fail2Ban log file:
tail /var/log/fail2ban.log or
grep fail2 /var/log/{messages,syslog}
This is interesting fail2ban.local file!
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
[apache]
enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5
[apache-noscript]
enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5
[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5
[proftpd]
enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5
[wuftpd]
enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 5
[postfix]
enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
[courierpop3]
enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
[courierimap]
enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
[sasl]
enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
maxretry = 5
above file is NOT good for centos it has another log file names (/apache*/ -> /httpd/ ; auth.log -> secure ; ...)