Fail2Ban

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 22:53, 7 February 2014 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

installation

First, you need to install Fail2Ban. For Redhat/Fedora use yum.

yum install fail2ban

CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.

 wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
 rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm

You might have some dependencies to install, like

 yum install gamin-python
 wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm
 rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm

These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.

ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org

installation tips

If you get the error: centos "No package fail2ban available" it is because, as of this writing, CentOS doesn't provide fail2ban. There are a couple ways to get it anyway. I recommend the rpm method mentioned above. Didn't you see it before getting this far?

Old Dovecot versions: If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.

configuration

General Configuration

The initial configuration folder should look like something like this:

config/
|-- action.d
|   |-- dummy.conf
|   |-- foo.conf
|   |-- hostsdeny.conf
|   |-- iptables.conf
|   |-- mail-whois.conf
|   `-- mail.conf
|-- fail2ban.conf
|-- filter.d
|   |-- apache-auth.conf
|   |-- sshd.conf
|   `-- vsftpd.conf
`-- jail.conf
  • filter  : a filter defines a regular expression which must match a pattern corresponding to a log-in failure or any other * expression
  • action  : an action defines several commands which are executed at different moments
  • jail  : a jail is a combination of one filter and one or several actions. Fail2ban can handle several jails at the same time
  • client  : refers to the script fail2ban-client
  • server  : refers to the script fail2ban-server

Configuration for Postfix and Dovecot

See Block SMTP Authentication Attacks With Fail2Ban or Brute Force Dictionary Attack on Dovecot for details and example configurations for Postfix / Dovecot / SASL

Configuration for SSH

The default configuration for the SSH filter should not require too much changes. You can adapt the regular expression to meet your needs.

Open up the thefail2ban configuration file:

 vi ./fail2ban/jail.local

Configure the SSH tables section

 [ssh-iptables]
 
 enabled  = true
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=root, sender=[email protected]]
 logpath  = /var/log/secure
 maxretry = 5

Configuration for Apache2 Web Server

You must edit the jail.local file.

 vi ./fail2ban/jail.local

Parameters

 [apache]
 enabled = true
 
 [apache-noscript]
 enabled = true
 
 [apache-overflows]
 enabled = true

parameters

Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action,

./fail2ban/action.d/iptables.conf

log path refers to the log location that fail2ban will track.

How long to ban an attacker?

Ban Jailed ip addresses nearly permanently -

resources

The most recent official user manual for fail2ban as of this writing:


 

Contributeduck176.gif
Note: This page is notably incomplete. You can help. Please contribute by registering your email address and adding your knowledge to this page. The D.U.C.K. wiki was created to be a free informative place that allows an open exchange of accurate information.
Learn more...