• Fail2Ban requires a significant investment to configure, but it is a reliable and flexible tool to combat attacks and probes.
• Fail2Ban is modular in nature so it's eask to get it configured one module at a time.
• Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.
• Fail2ban uses iptables to do the banning.

See also Bad Bot Trap.

Enable the EPEL Repo, if not already done, then:

yum install fail2ban --enablerepo=epel

wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2
tar -xjvf fail2ban-0.8.1.tar.bz2
cd fail2ban-0.8.1
python setup.py install

NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)

(SME 7 uses /var/log/messages)

If you installed from the tarball, run these two commands. Skip them if you installed with YUM/RPM:

cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban

Then:

chkconfig fail2ban on
service fail2ban start

This shows failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

Search for correct log file:

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.

• /etc/fail2ban/fail2ban.local
  • overrides fail2ban.conf
• /etc/fail2ban/jail.local
  • overrides jail.conf

vim /etc/fail2ban/jail.conf

Enable SSH and ProFTP. Both use /var/log/secure

Add your own IP ranges to keep from getting locked out yourself.

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true 
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
         sendmail-whois[name=Dovecot, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/maillog
maxretry = 5

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

# See also Bad Bot Trap

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
           sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/httpd/access_log
/var/log/httpd/ispconfig_access_log
/var/www/*/log/web.log
maxretry = 1

# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550
            reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex = 

# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck = 

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/dig -x <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]
name = default
dest = root
sender = fail2ban

# Fail2Ban filter.d/apache-badbots.conf file
################################################
# www.sonoracomm.com
#
[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Mozilla/4.0 \(compatible; MSIE 7\.0; Windows NT 5\.1; FunWebProducts; GTB6; \.NET CLR 1\.1\.4322\)

badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*"GET /bot-trap/

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#