Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » fail2ban
Trace: napp-it exchange_filter exchange_cached megaraid_monitor disable_php sysprep sender_auth fail2ban
networking:linux:fail2ban

This is an old revision of the document!

Table of Contents

Fail2Ban

https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-centos-6

  • Fail2Ban is easy to configure, but it is a reliable and flexible tool to combat attacks and probes.
  • Fail2Ban is modular in nature so it's easy to get it configured one module at a time.
  • Fail2Ban runs as a daemon and bans an IP address after too many failed login attempts.
  • Fail2ban uses iptables to do the banning.

See also Bad Bot Trap.

Installation

Fail2Ban is available from either the EPEL or RepoForge repositories. Use the one you already have configured or choose to configure EPEL.

See also Enable the EPEL Repo

See also Using the RepoForge Repository

Install Fail2Ban (using either epel or rpmforge): 

yum install fail2ban --enablerepo=epel

Configuration

Fail2ban is designed so that you can edit local copies of the primary configuration files so they will never be stepped on by an update.

  • /etc/fail2ban/fail2ban.local
    • overrides fail2ban.conf
  • /etc/fail2ban/jail.local
    • overrides jail.conf
cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp -a /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Configure defaults in jail.local

Add your own IP ranges to keep from getting locked out yourself. 

vi /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141

Startup

Enable Fail2Ban to start up automatically and start the service: 

chkconfig fail2ban on
service fail2ban start

Sample Configuration Files

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[apache-denied]

enabled   = false
filter    = apache-denied
action    = iptables[name=Denied, port=80, protocol=tcp]
#            sendmail-whois[name=Denied, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
logpath   = /home/sonoracomm/logs/error_log
maxretry  = 1
bantime   = 604800

[apache-postflood]

enabled  = false
filter   = apache-postflood
action   = iptables[name=HTTP, port=80, protocol=tcp]
           sendmail-whois[name=Post_Flood, dest=banned@sonoracomm.com, fail2ban@sonoracomm.com]
logpath  = /home/sonoracomm/logs/access_log
findtime = 10
maxretry = 10
bantime  = 86400

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true 
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/secure
maxretry = 3

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
         sendmail-whois[name=Dovecot, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest=support@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /var/log/maillog
maxretry = 5

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

# See also Bad Bot Trap

[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
           sendmail-whois[name=BadBots, dest=banned@sonoracomm.com, sender=www@sonoracomm.com]
logpath  = /home/sonoracomm/logs/access_log
/var/log/httpd/access_log
/var/log/httpd/ispconfig_access_log
/var/www/*/log/web.log
maxretry = 1
bantime  = 604800
# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550
            reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex = 
# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck = 

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/dig -x <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]
name = default
dest = root
sender = fail2ban
# Fail2Ban filter.d/apache-badbots.conf file
################################################
# www.sonoracomm.com
#
[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Mozilla/4.0 \(compatible; MSIE 7\.0; Windows NT 5\.1; FunWebProducts; GTB6; \.NET CLR 1\.1\.4322\)

badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*"GET /bot-trap/

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

Troubleshooting

:!: If you can test a filter successfully with fail2ban-regex, but no firewall rules are being added, try using polling instead of gamin or auto.

This shows failed SSH logins by date:

CentOS/Redhat: 

cat /var/log/secure* | grep 'authentication failure' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

Debian/Ubuntu: 

cat /var/log/auth.log | grep sshd.\*Failed

Search for correct log file: 

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans: 

grep rejected /var/log/maillog

Testing

Count of banned IP addresses: 

iptables -nL |grep "DROP       all" |wc -l
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
networking/linux/fail2ban.1489589029.txt.gz · Last modified: 2017/03/15 08:43 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki