Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » fail2ban
Trace: file_vs_block_storage
networking:linux:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:linux:fail2ban [2013/09/25 18:35]
gcooper 		networking:linux:fail2ban [2017/03/15 08:51] (current)
gcooper
Line 22: Line 22:
 <file> <file>
 yum install fail2ban --enablerepo=epel yum install fail2ban --enablerepo=epel
-</file> 
- 
-===== Startup ===== 
- 
-Enable Fail2Ban to start up automatically and start the service: 
- 
-<file> 
-chkconfig fail2ban on 
-service fail2ban start 
-</file> 
- 
-===== Tools ===== 
- 
-This shows failed SSH logins by date: 
- 
-<file> 
-cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c 
-</file> 
- 
-Search for correct log file: 
- 
-<file> 
-grep such /var/log/messages* 
-grep ftp /var/log/messages* 
-grep -r NOQUEUE /var/log 
-</file>  
- 
-This should match Postfix bans: 
- 
-<file> 
-grep rejected /var/log/maillog 
-</file> 
- 
-===== Testing ===== 
- 
-<file> 
-fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf 
 </file> </file>
  
Line 75: Line 38:
 </file> </file>
  
-==== Configure defaults in ''jail.local'' ====+==== Configure defaults in jail.local ====
  
 Add your own IP ranges to keep from getting locked out yourself. Add your own IP ranges to keep from getting locked out yourself.
  
 <file> <file>
 +vi /etc/fail2ban/jail.local
 +
 [DEFAULT] [DEFAULT]
 ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141 ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
 +</file>
 +
 +===== Startup =====
 +
 +Enable Fail2Ban to start up automatically and start the service:
 +
 +<file>
 +chkconfig fail2ban on
 +service fail2ban start
 </file> </file>
  
Line 111: Line 85:
 # Don't know how well other backend options work. # Don't know how well other backend options work.
 backend = polling backend = polling
 +
 +[apache-denied]
 +
 +enabled   = false
 +filter    = apache-denied
 +action    = iptables[name=Denied, port=80, protocol=tcp]
 +#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath   = /home/sonoracomm/logs/error_log
 +maxretry  = 1
 +bantime   = 604800
 +
 +[apache-postflood]
 +
 +enabled  = false
 +filter   = apache-postflood
 +action   = iptables[name=HTTP, port=80, protocol=tcp]
 +           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath  = /home/sonoracomm/logs/access_log
 +findtime = 10
 +maxretry = 10
 +bantime  = 86400
  
 [ssh-iptables] [ssh-iptables]
Line 155: Line 150:
 [apache-badbots] [apache-badbots]
  
-enabled true+enabled false
 filter   = apache-badbots filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp] action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
-logpath  = /var/log/httpd/access_log+logpath /home/sonoracomm/logs/access_log 
 +/var/log/httpd/access_log
 /var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log
 /var/www/*/log/web.log /var/www/*/log/web.log
 maxretry = 1 maxretry = 1
 +bantime  = 604800
 </file> </file>
  
Line 247: Line 244:
 # Values:  TEXT # Values:  TEXT
 # #
 +</file>
 +
 +===== Troubleshooting =====
 +
 +**Correctly count login failures**: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly
 +
 +<file>
 +sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
 +sudo service rsyslog restart
 +sudo service fail2ban restart
 +</file>
 +
 +:!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''.
 +
 +This shows failed SSH logins by date:
 +
 +CentOS/Redhat:
 +
 +<file>
 +cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
 +</file>
 +
 +Debian/Ubuntu:
 +
 +<file>
 +cat /var/log/auth.log | grep sshd.\*Failed
 +</file>
 +
 +Search for correct log file:
 +
 +<file>
 +grep such /var/log/messages*
 +grep ftp /var/log/messages*
 +grep -r NOQUEUE /var/log
 +</file> 
 +
 +This should match Postfix bans:
 +
 +<file>
 +grep rejected /var/log/maillog
 +</file>
 +
 +===== Testing =====
 +
 +Count of banned IP addresses:
 +
 +<file>
 +iptables -nL |grep "DROP       all" |wc -l
 +</file>
 +
 +<file>
 +fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
 </file> </file>
  
networking/linux/fail2ban.1380155738.txt.gz · Last modified: 2013/09/25 18:35 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki