Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » fail2ban
Trace:
networking:linux:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:linux:fail2ban [2013/09/26 16:59]
gcooper 		networking:linux:fail2ban [2017/03/15 08:51] (current)
gcooper
Line 85: Line 85:
 # Don't know how well other backend options work. # Don't know how well other backend options work.
 backend = polling backend = polling
 +
 +[apache-denied]
 +
 +enabled   = false
 +filter    = apache-denied
 +action    = iptables[name=Denied, port=80, protocol=tcp]
 +#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath   = /home/sonoracomm/logs/error_log
 +maxretry  = 1
 +bantime   = 604800
 +
 +[apache-postflood]
 +
 +enabled  = false
 +filter   = apache-postflood
 +action   = iptables[name=HTTP, port=80, protocol=tcp]
 +           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
 +logpath  = /home/sonoracomm/logs/access_log
 +findtime = 10
 +maxretry = 10
 +bantime  = 86400
  
 [ssh-iptables] [ssh-iptables]
Line 129: Line 150:
 [apache-badbots] [apache-badbots]
  
-enabled true+enabled false
 filter   = apache-badbots filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp] action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]            sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
-logpath  = /var/log/httpd/access_log+logpath /home/sonoracomm/logs/access_log 
 +/var/log/httpd/access_log
 /var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log
 /var/www/*/log/web.log /var/www/*/log/web.log
 maxretry = 1 maxretry = 1
 +bantime  = 604800
 </file> </file>
  
Line 224: Line 247:
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +
 +**Correctly count login failures**: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly
 +
 +<file>
 +sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
 +sudo service rsyslog restart
 +sudo service fail2ban restart
 +</file>
  
 :!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''. :!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''.
  
 This shows failed SSH logins by date: This shows failed SSH logins by date:
 +
 +CentOS/Redhat:
  
 <file> <file>
 cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
 +</file>
 +
 +Debian/Ubuntu:
 +
 +<file>
 +cat /var/log/auth.log | grep sshd.\*Failed
 </file> </file>
  
Line 248: Line 287:
  
 ===== Testing ===== ===== Testing =====
 +
 +Count of banned IP addresses:
 +
 +<file>
 +iptables -nL |grep "DROP       all" |wc -l
 +</file>
  
 <file> <file>
networking/linux/fail2ban.1380236371.txt.gz · Last modified: 2013/09/26 16:59 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki