Fail2Ban: Difference between revisions
| Line 12: | Line 12: | ||
| == configuration == | == configuration == | ||
| === General Configuration === | |||
| === Configuration for Postfix and Dovecot === | |||
| See [[Block SMTP Authentication Attacks With Fail2Ban]] or [[Brute Force Dictionary Attack on Dovecot]] for details and example configurations for Postfix / Dovecot / SASL | |||
| === Configuration for SSH === | |||
| === Configuration for Apache2 Web Server === | |||
| == parameters == | == parameters == | ||
Revision as of 20:37, 7 February 2014
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
installation
First, you need to install Fail2Ban. For Redhat/Fedora use yum.
yum install fail2ban
CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.
wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm
You might have some dependencies to install, like
yum install gamin-python wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm
These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org
installation tips
If you get the error: centos "No package fail2ban available" it is because, as of this writing, CentOS doesn't provide fail2ban. There are a couple ways to get it anyway. I recommend the rpm method mentioned above. Didn't you see it before getting this far?
Old Dovecot versions: If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.
configuration
General Configuration
Configuration for Postfix and Dovecot
See Block SMTP Authentication Attacks With Fail2Ban or Brute Force Dictionary Attack on Dovecot for details and example configurations for Postfix / Dovecot / SASL
Configuration for SSH
Configuration for Apache2 Web Server
parameters
Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action,
/etc/fail2ban/action.d/iptables.conf
log path refers to the log location that fail2ban will track.
resources
|  Learn more... |