Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » fail2ban
Trace: file_vs_block_storage
networking:linux:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:linux:fail2ban [2012/06/04 11:12]
gcooper 		networking:linux:fail2ban [2017/03/15 08:51] (current)
gcooper
Line 1: Line 1:
 ====== Fail2Ban ====== ====== Fail2Ban ======
  
-  * Fail2Ban requires a moderate investment to configure, but it is a reliable and flexible tool to combat attacks and probes.+https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-centos-6 
 + 
 +  * Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.
   * Fail2Ban is modular in nature so it's easy to get it configured one module at a time.   * Fail2Ban is modular in nature so it's easy to get it configured one module at a time.
   * Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.   * Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.
Line 8: Line 10:
 See also **[[networking:linux:bad_bot_trap|Bad Bot Trap]]**. See also **[[networking:linux:bad_bot_trap|Bad Bot Trap]]**.
  
-===== Installation on Centos 6 =====+===== Installation =====
  
-[[computing:linux:epel|Enable the EPEL Repo]], if not already done, then:+Fail2Ban is available from either the EPEL or RepoForge repositories.  Use the one you already have configured or choose to configure EPEL.
  
-<file> +See also **[[computing:linux:epel|Enable the EPEL Repo]]**
-yum install fail2ban --enablerepo=epel +
-</file>+
  
-===== Installation on Centos 5 =====+See also **[[computing:linux:repoforge|Using the RepoForge Repository]]**
  
-<file> +Install Fail2Ban (using either ''epel'' or ''rpmforge''):
-wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2 +
-tar -xjvf fail2ban-0.8.1.tar.bz2 +
-cd fail2ban-0.8.1 +
-python setup.py install +
-</file> +
- +
-===== Installation on SME 7 ===== +
- +
-NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE) +
- +
-(SME 7 uses /var/log/messages) +
- +
-===== Startup ===== +
- +
-If you installed from the tarball, run these two commands.  Skip them if you installed with YUM/RPM:+
  
 <file> <file>
-cp files/redhat-initd /etc/init.d/fail2ban +yum install fail2ban --enablerepo=epel
-chkconfig --add fail2ban+
 </file> </file>
  
-Then:+===== Configuration =====
  
-<file> +Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.
-chkconfig fail2ban on +
-service fail2ban start +
-</file>+
  
-===== Tools ===== +  * ''/etc/fail2ban/fail2ban.local'' 
- +    * overrides ''fail2ban.conf'' 
-This shows failed SSH logins by date:+  * ''/etc/fail2ban/jail.local'' 
 +    * overrides ''jail.conf''
  
 <file> <file>
-cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c+cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 
 +cp -a /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
 </file> </file>
  
-Search for correct log file:+==== Configure defaults in jail.local ====
  
-<file> +Add your own IP ranges to keep from getting locked out yourself.
-grep such /var/log/messages* +
-grep ftp /var/log/messages* +
-grep -r NOQUEUE /var/log +
-</file>  +
- +
-This should match Postfix bans:+
  
 <file> <file>
-grep rejected /var/log/maillog +vi /etc/fail2ban/jail.local
-</file>+
  
-===== Testing ===== +[DEFAULT] 
- +ignoreip 127.0.0.1 209.193.64.0/24 70.176.57.141
-<file> +
-fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf+
 </file> </file>
  
-===== Configuration =====+===== Startup =====
  
-Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update. +Enable Fail2Ban to start up automatically and start the service:
- +
-  * /etc/fail2ban/fail2ban.local +
-    * overrides fail2ban.conf +
-  * /etc/fail2ban/jail.local +
-    * overrides jail.conf+
  
 <file> <file>
-vim /etc/fail2ban/jail.conf +chkconfig fail2ban on 
-</file> +service fail2ban start
- +
-Enable SSH and ProFTP.  Both use /var/log/secure +
- +
-Add your own IP ranges to keep from getting locked out yourself. +
- +
-<file> +
-[DEFAULT] +
-ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141+
 </file> </file>
  
Line 124: Line 85:
 # Don't know how well other backend options work. # Don't know how well other backend options work.
 backend = polling backend = polling
 +
 +[apache-denied]
 +
 +enabled   = false
 +filter    = apache-denied
 +action    = iptables[name=Denied, port=80, protocol=tcp]
 +#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath   = /home/sonoracomm/logs/error_log
 +maxretry  = 1
 +bantime   = 604800
 +
 +[apache-postflood]
 +
 +enabled  = false
 +filter   = apache-postflood
 +action   = iptables[name=HTTP, port=80, protocol=tcp]
 +           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath  = /home/sonoracomm/logs/access_log
 +findtime = 10
 +maxretry = 10
 +bantime  = 86400
  
 [ssh-iptables] [ssh-iptables]
Line 168: Line 150:
 [apache-badbots] [apache-badbots]
  
-enabled true+enabled false
 filter   = apache-badbots filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp] action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
-logpath  = /var/log/httpd/access_log+logpath /home/sonoracomm/logs/access_log 
 +/var/log/httpd/access_log
 /var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log
 /var/www/*/log/web.log /var/www/*/log/web.log
 maxretry = 1 maxretry = 1
 +bantime  = 604800
 </file> </file>
  
Line 260: Line 244:
 # Values:  TEXT # Values:  TEXT
 # #
 +</file>
 +
 +===== Troubleshooting =====
 +
 +**Correctly count login failures**: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly
 +
 +<file>
 +sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
 +sudo service rsyslog restart
 +sudo service fail2ban restart
 +</file>
 +
 +:!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''.
 +
 +This shows failed SSH logins by date:
 +
 +CentOS/Redhat:
 +
 +<file>
 +cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
 +</file>
 +
 +Debian/Ubuntu:
 +
 +<file>
 +cat /var/log/auth.log | grep sshd.\*Failed
 +</file>
 +
 +Search for correct log file:
 +
 +<file>
 +grep such /var/log/messages*
 +grep ftp /var/log/messages*
 +grep -r NOQUEUE /var/log
 +</file> 
 +
 +This should match Postfix bans:
 +
 +<file>
 +grep rejected /var/log/maillog
 +</file>
 +
 +===== Testing =====
 +
 +Count of banned IP addresses:
 +
 +<file>
 +iptables -nL |grep "DROP       all" |wc -l
 +</file>
 +
 +<file>
 +fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
 </file> </file>
  
networking/linux/fail2ban.1338829922.txt.gz · Last modified: 2012/06/04 11:12 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki