• Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.
• Fail2Ban is modular in nature so it's easy to get it configured one module at a time.
• Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.
• Fail2ban uses iptables to do the banning.

See also Bad Bot Trap.

Fail2Ban is available from either the EPEL or RPMForge repositories. Use the one you already have configured or choose to configure EPEL.

See also Enable the EPEL Repo See also Using the RepoForge Repository

Install Fail2Ban (using either –enablerepo=epel or –enablerepo=rpmforge :

yum install fail2ban --enablerepo=epel

wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2
tar -xjvf fail2ban-0.8.1.tar.bz2
cd fail2ban-0.8.1
python setup.py install

NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)

(SME 7 uses /var/log/messages)

If you installed from the tarball, run these two commands. Skip them if you installed with YUM/RPM:

cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban

Then:

chkconfig fail2ban on
service fail2ban start

This shows failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

Search for correct log file:

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.

• /etc/fail2ban/fail2ban.local
  • overrides fail2ban.conf
• /etc/fail2ban/jail.local
  • overrides jail.conf

vim /etc/fail2ban/jail.conf

Enable SSH and ProFTP. Both use /var/log/secure

Add your own IP ranges to keep from getting locked out yourself.

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true 
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
         sendmail-whois[name=Dovecot, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/maillog
maxretry = 5

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

# See also Bad Bot Trap

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
           sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/httpd/access_log
/var/log/httpd/ispconfig_access_log
/var/www/*/log/web.log
maxretry = 1

# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550
            reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex = 

# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck = 

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/dig -x <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]
name = default
dest = root
sender = fail2ban

# Fail2Ban filter.d/apache-badbots.conf file
################################################
# www.sonoracomm.com
#
[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Mozilla/4.0 \(compatible; MSIE 7\.0; Windows NT 5\.1; FunWebProducts; GTB6; \.NET CLR 1\.1\.4322\)

badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*"GET /bot-trap/

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#