Advertisement: Linux VPS for $4/month - based on OpenVZ, credit card accepted, automatic setup.
+ Post New Thread
Results 1 to 2 of 2

Thread: Installing Fail2Ban on Linux to prevent various bad bots, attacks and bruteforce

  1. #1
    Fli
    Fli is offline
    Administrator Fli's Avatar
    Join Date
    Mar 2013
    Posts
    2,550

    Installing Fail2Ban on Linux to prevent various bad bots, attacks and bruteforce



    About Fail2Ban

    Fail2Ban is usefull tool which works with linux log files and IPTables firewall to temporarilly block IPs that doing suspicious actions like too many login attempts, too frequent connections, suspicious HTTP requests etc.

    By default Fail2Ban after installation dont blocks anything and is stopped. But we can configure it further.

    Official website (downloads, manuals, etc): http://www.fail2ban.org

    STEP 1: during installation one may receive error that package fail2ban is not in repository. In that case one need to install repository where is fail2ban (google: fail2ban repository yourlinuxdistributionLikeFedoraorUbuntu)

    in case of CentOS, i do command "uname -a" and see 5...x64, so i install EPEL repository for 64bit CentOS5:
    if u dont have centos 5 64bit, take look here: http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/

    The super sumarized install:
    1)
    A) yum install fail2ban;
    B) sudo apt-get install fail2ban;sudo systemctl enable fail2ban
    2) echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
    3)
    A) service fail2ban restart
    B) /etc/init.d/fail2ban restart
    4) your fail2ban is running and protecting SSH from brute-force login attempts + it is starting at boot. Congrats.
    The sumarized installation:
    1) install by command:
    A) yum install fail2ban
    B) sudo apt-get install fail2ban
    2) Create file with SSH protection, maximum 5 login tries then ban for 24 hours:
    echo -e "# cat /etc/fail2ban/jail.d/sshd.local\n[DEFAULT]\nbantime = 86400\nmaxretry = 5\n\n[sshd]\n\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nmaxretry = 5" > /etc/fail2ban/jail.d/sshd.local
    3) Now restart fail2ban to reflect changes made:
    A) service fail2ban restart
    B) /etc/init.d/fail2ban restart
    4) finished, you have fail2ban running and also launching on server boot. Great
    Fail2Ban installation detailed

    Redhat/centos : yum install fail2ban - In my case "rpmforge" repository is required. But "yum install epel-release -y" should be better. In this tutorial can be found on how to install it.

    Debian/Ubuntu sudo apt-get install fail2ban

    After installation, fail2ban service is probably stopped. To start it, you can do: service fail2ban start OR /etc/init.d/fail2ban start
    F2B is probably set to start at server boot, if not, you can set it so: update-rc.d fail2ban defaults

    Configuration

    Basic configuration file: /etc/fail2ban/jail.conf

    Its recommended to create a new file with .local extension which will instantly have priority above old jail.conf (rules in common = .local file has priority. Non existing rules in .local =.conf is used).

    So lets copy default jail.conf to jail.local: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    And open our fail2ban config file: vi /etc/fail2ban/jail.local , it contain so called Jails (short rules?): there you can see 2 jails:

    [ssh-iptables]

    enabled = false
    filter = sshd
    action = iptables[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH, [email protected], [email protected]]
    logpath = /var/log/sshd.log
    maxretry = 5

    [proftpd-iptables]

    enabled = false
    filter = proftpd
    action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
    sendmail-whois[name=ProFTPD, [email protected]]
    logpath = /var/log/proftpd/proftpd.log
    maxretry = 6
    These Jails has few variables: enabled/disabled, filter, action, sendmail-whois, logpath, maxretry .
    "Filter" is the file in ./filter.d/ which contains precreated footprints. Based on these footprints, the server logs are checked and if some IP produces too much of unwanted messages/footprints during "findtime = 600" seconds, it is banned for "bantime = 600" seconds.

    In jail.local there are 4 main variables:
    findtime = 600
    bantime = 600
    maxretry = 3
    ..jails...

    To enable some jail, just change "Enabled" variable value from "false" to "true". Dont forget to check that Jail"s value of "logpath" is really existing on your server, else fail2ban wont see any messages comming (non existing file).

    Fail2Ban filter files from /filter.d/* can be tested against log files like this:
    Code:
    fail2ban-regex /var/log/logfilename /etc/fail2ban/filter.d/filterfileyouwanttouseintotest.conf
    Discover your computer IP (www.myip.ms) and paste it into "ignoreip" variable in jail.local:
    ignoreip = 127.0.0.1/8 youriphere
    To start editing in Vi editor, hit "a" key. To stop editing "Ctrl+C", to save changes ":wq", to discard changes "q!".

    After changes saved, you can restart Fail2ban: service fail2ban restart OR /etc/init.d/fail2ban restart

    ===============

    Fail2Ban Filters

    These are the Fail2Ban ready made filters in /etc/fail2ban/filter.d:

    apache-auth.confapache-badbots.conf
    apache-nohome.conf
    apache-noscript.conf
    apache-overflows.conf
    asterisk.conf
    common.conf
    courierlogin.conf
    couriersmtp.conf
    cyrus-imap.conf
    dovecot.conf
    dropbear.conf
    exim.conf
    gssftpd.conf
    lighttpd-auth.conf
    lighttpd-fastcgi.conf
    named-refused.conf
    pam-generic.conf
    php-url-fopen.conf
    postfix.conf
    proftpd.conf
    pure-ftpd.conf
    qmail.conf
    recidive.conf
    sasl.conf
    sieve.conf
    sshd-ddos.conf
    sshd.conf
    vsftpd.conf
    webmin-auth.conf
    wuftpd.conf
    xinetd-fail.conf
    These are the mentioned footprints of Example sshd.conf file:
    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
    ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
    ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
    ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
    ============

    Fail2Ban log file:
    Code:
    tail /var/log/fail2ban.log
    or
    Code:
    grep fail2 /var/log/{messages,syslog}
    This is interesting fail2ban.local file!
    [DEFAULT]

    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 192.168.0.99
    bantime = 600
    maxretry = 3

    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    # This issue left ToDo, so polling is default backend for now
    backend = polling

    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]

    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]


    [ssh]

    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 5


    [apache]

    enabled = true
    port = http
    filter = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5


    [apache-noscript]

    enabled = false
    port = http
    filter = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5


    [vsftpd]

    enabled = false
    port = ftp
    filter = vsftpd
    logpath = /var/log/auth.log
    maxretry = 5


    [proftpd]

    enabled = true
    port = ftp
    filter = proftpd
    logpath = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5


    [wuftpd]

    enabled = false
    port = ftp
    filter = wuftpd
    logpath = /var/log/auth.log
    maxretry = 5


    [postfix]

    enabled = false
    port = smtp
    filter = postfix
    logpath = /var/log/mail.log
    maxretry = 5


    [courierpop3]

    enabled = true
    port = pop3
    filter = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5


    [courierimap]

    enabled = true
    port = imap2
    filter = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5


    [sasl]

    enabled = true
    port = smtp
    filter = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath = /var/log/mail.log
    maxretry = 5
    above file is NOT good for centos it has another log file names (/apache*/ -> /httpd/ ; auth.log -> secure ; ...)

  2. #2
    Fli
    Fli is offline
    Administrator Fli's Avatar
    Join Date
    Mar 2013
    Posts
    2,550


    Is this useful / helpfull? Yes | No
    This may help auto block IPs that frequently load website index ( / ) over and over again:

    add this into jail.local (new file .. has priority over jail.conf)

    vi /etc/fail2ban/jail.local

    [apache-toomanyrequests]

    enabled = true
    filter = apache-toomanyrequests
    action = iptables-multiport[name=ApacheTooManyRequests, port="http,https"]
    sendmail-buffered[name=ApacheTooManyRequests, lines=5, [email protected]]
    logpath = /var/log/httpd/access_log
    findtime = 60
    bantime = 240
    maxretry = 50
    and part of my filter ./filter.d/apache-toomanyrequests.conf file:

    (vi /etc/fail2ban/filter.d/apache-toomanyrequests.conf)

    [Definition]

    failregex = [[]client <HOST>[]] File does not exist: .*/~.*
    (<HOST>)\s(\S+)\s(\S+)\s\[([^\]]+)\]\s"GET / HTTP/1.0"\s(\S+)\s(\S+)\s"([^"]*)"\s"([^"]+)"

    # any apache line (<HOST>)\s(\S+)\s(\S+)\s\[([^\]]+)\]\s"(\S+)\s([^\s]+)\s([^"]+)"\s(\S+)\s(\S+)\s"([^"]*)"\s"([^"]+)"

    ignoreregex =


    how it works? When visitor loads my website, the log entry (line of text) is added to the /var/log/httpd/access_log file, like:
    ns1.site.com:80 212.185.56.58 - - [16/Nov/2013:21:32:39 +0000] "GET / HTTP/1.0" 200 666 "wgcki.net" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xxx) Gecko/20041027 Mnenhy/0.6.0.104"
    if above mentioned regex match the log line, the IP is saved and if it is in log file 50 times in last 60 seconds, it means possible attack, so it is blocked for 240 seconds by Fail2Ban which im using.

    Another jails:
    http://www.foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban
    http://blog.somsip.com/2012/02/using-fail2ban-to-protect-wordpress/

+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 01-09-2019, 10:58 AM
  2. How are you preventing SSH bruteforce on Linux?
    By Fli in forum Security, protection
    Replies: 0
    Last Post: 06-29-2017, 12:25 PM
  3. Replies: 0
    Last Post: 11-16-2014, 07:36 PM
  4. Replies: 0
    Last Post: 06-03-2014, 08:36 PM
  5. Installing Java on Linux for Firefox, how to?
    By Fli in forum Desktop, X-windows
    Replies: 1
    Last Post: 11-15-2013, 03:11 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
 Protected by : ZB BLOCK  &  StopForumSpam