Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » fail2ban
Trace: file_vs_block_storage
networking:linux:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:linux:fail2ban [2013/09/25 17:57]
gcooper 		networking:linux:fail2ban [2017/03/15 08:51] (current)
gcooper
Line 1: Line 1:
 ====== Fail2Ban ====== ====== Fail2Ban ======
 +
 +https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-centos-6
  
   * Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.   * Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.
Line 22: Line 24:
 </file> </file>
  
-===== Startup =====+===== Configuration =====
  
-Enable Fail2Ban to start up automatically and start the service:+Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.
  
-<file> +  * ''/etc/fail2ban/fail2ban.local'' 
-chkconfig fail2ban on +    * overrides ''fail2ban.conf'' 
-service fail2ban start +  * ''/etc/fail2ban/jail.local'' 
-</file> +    * overrides ''jail.conf''
- +
-===== Tools ===== +
- +
-This shows failed SSH logins by date:+
  
 <file> <file>
-cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c+cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 
 +cp -a /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
 </file> </file>
  
-Search for correct log file:+==== Configure defaults in jail.local ====
  
-<file> +Add your own IP ranges to keep from getting locked out yourself.
-grep such /var/log/messages* +
-grep ftp /var/log/messages* +
-grep -r NOQUEUE /var/log +
-</file>  +
- +
-This should match Postfix bans:+
  
 <file> <file>
-grep rejected /var/log/maillog +vi /etc/fail2ban/jail.local
-</file>+
  
-===== Testing ===== +[DEFAULT] 
- +ignoreip 127.0.0.1 209.193.64.0/24 70.176.57.141
-<file> +
-fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf+
 </file> </file>
  
-===== Configuration =====+===== Startup =====
  
-Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update. +Enable Fail2Ban to start up automatically and start the service:
- +
-  * /etc/fail2ban/fail2ban.local +
-    * overrides fail2ban.conf +
-  * /etc/fail2ban/jail.local +
-    * overrides jail.conf+
  
 <file> <file>
-vim /etc/fail2ban/jail.conf +chkconfig fail2ban on 
-</file> +service fail2ban start
- +
-Enable SSH and ProFTP.  Both use /var/log/secure +
- +
-Add your own IP ranges to keep from getting locked out yourself. +
- +
-<file> +
-[DEFAULT] +
-ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141+
 </file> </file>
  
Line 108: Line 85:
 # Don't know how well other backend options work. # Don't know how well other backend options work.
 backend = polling backend = polling
 +
 +[apache-denied]
 +
 +enabled   = false
 +filter    = apache-denied
 +action    = iptables[name=Denied, port=80, protocol=tcp]
 +#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath   = /home/sonoracomm/logs/error_log
 +maxretry  = 1
 +bantime   = 604800
 +
 +[apache-postflood]
 +
 +enabled  = false
 +filter   = apache-postflood
 +action   = iptables[name=HTTP, port=80, protocol=tcp]
 +           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath  = /home/sonoracomm/logs/access_log
 +findtime = 10
 +maxretry = 10
 +bantime  = 86400
  
 [ssh-iptables] [ssh-iptables]
Line 152: Line 150:
 [apache-badbots] [apache-badbots]
  
-enabled true+enabled false
 filter   = apache-badbots filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp] action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
-logpath  = /var/log/httpd/access_log+logpath /home/sonoracomm/logs/access_log 
 +/var/log/httpd/access_log
 /var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log
 /var/www/*/log/web.log /var/www/*/log/web.log
 maxretry = 1 maxretry = 1
 +bantime  = 604800
 </file> </file>
  
Line 244: Line 244:
 # Values:  TEXT # Values:  TEXT
 # #
 +</file>
 +
 +===== Troubleshooting =====
 +
 +**Correctly count login failures**: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly
 +
 +<file>
 +sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
 +sudo service rsyslog restart
 +sudo service fail2ban restart
 +</file>
 +
 +:!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''.
 +
 +This shows failed SSH logins by date:
 +
 +CentOS/Redhat:
 +
 +<file>
 +cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
 +</file>
 +
 +Debian/Ubuntu:
 +
 +<file>
 +cat /var/log/auth.log | grep sshd.\*Failed
 +</file>
 +
 +Search for correct log file:
 +
 +<file>
 +grep such /var/log/messages*
 +grep ftp /var/log/messages*
 +grep -r NOQUEUE /var/log
 +</file> 
 +
 +This should match Postfix bans:
 +
 +<file>
 +grep rejected /var/log/maillog
 +</file>
 +
 +===== Testing =====
 +
 +Count of banned IP addresses:
 +
 +<file>
 +iptables -nL |grep "DROP       all" |wc -l
 +</file>
 +
 +<file>
 +fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
 </file> </file>
  
networking/linux/fail2ban.1380153428.txt.gz · Last modified: 2013/09/25 17:57 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki