====== Fail2Ban ======

https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-centos-6

  * Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.
  * Fail2Ban is modular in nature so it's easy to get it configured one module at a time.
  * Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.
  * Fail2ban uses iptables to do the banning.

See also **[[networking:linux:bad_bot_trap|Bad Bot Trap]]**.

===== Installation =====

Fail2Ban is available from either the EPEL or RepoForge repositories.  Use the one you already have configured or choose to configure EPEL.

See also **[[computing:linux:epel|Enable the EPEL Repo]]**

See also **[[computing:linux:repoforge|Using the RepoForge Repository]]**

Install Fail2Ban (using either ''epel'' or ''rpmforge''):

<file>
yum install fail2ban --enablerepo=epel
</file>

===== Configuration =====

Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.

  * ''/etc/fail2ban/fail2ban.local''
    * overrides ''fail2ban.conf''
  * ''/etc/fail2ban/jail.local''
    * overrides ''jail.conf''

<file>
cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp -a /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
</file>

==== Configure defaults in jail.local ====

Add your own IP ranges to keep from getting locked out yourself.

<file>
vi /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
</file>

===== Startup =====

Enable Fail2Ban to start up automatically and start the service:

<file>
chkconfig fail2ban on
service fail2ban start
</file>

==== Sample Configuration Files ====

<file>
# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[apache-denied]

enabled   = false
filter    = apache-denied
action    = iptables[name=Denied, port=80, protocol=tcp]
#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
logpath   = /home/sonoracomm/logs/error_log
maxretry  = 1
bantime   = 604800

[apache-postflood]

enabled  = false
filter   = apache-postflood
action   = iptables[name=HTTP, port=80, protocol=tcp]
           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
logpath  = /home/sonoracomm/logs/access_log
findtime = 10
maxretry = 10
bantime  = 86400

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true 
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
         sendmail-whois[name=Dovecot, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/maillog
maxretry = 5

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

# See also Bad Bot Trap

[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
           sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /home/sonoracomm/logs/access_log
/var/log/httpd/access_log
/var/log/httpd/ispconfig_access_log
/var/www/*/log/web.log
maxretry = 1
bantime  = 604800
</file>

<file>
# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550
            reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex = 
</file>

<file>
# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck = 

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/dig -x <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]
name = default
dest = root
sender = fail2ban
</file> 

<file>
# Fail2Ban filter.d/apache-badbots.conf file
################################################
# www.sonoracomm.com
#
[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Mozilla/4.0 \(compatible; MSIE 7\.0; Windows NT 5\.1; FunWebProducts; GTB6; \.NET CLR 1\.1\.4322\)

badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*"GET /bot-trap/

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
</file>

===== Troubleshooting =====

**Correctly count login failures**: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly

<file>
sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
sudo service rsyslog restart
sudo service fail2ban restart
</file>

:!: If you can test a filter successfully with ''fail2ban-regex'', but no firewall rules are being added, try using ''polling'' instead of ''gamin'' or ''auto''.

This shows failed SSH logins by date:

CentOS/Redhat:

<file>
cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
</file>

Debian/Ubuntu:

<file>
cat /var/log/auth.log | grep sshd.\*Failed
</file>

Search for correct log file:

<file>
grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log
</file> 

This should match Postfix bans:

<file>
grep rejected /var/log/maillog
</file>

===== Testing =====

Count of banned IP addresses:

<file>
iptables -nL |grep "DROP       all" |wc -l
</file>

<file>
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
</file>