Fail2Ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
Contents
installation
First, you need to install Fail2Ban. For Redhat/Fedora use yum.
yum install fail2ban
CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.
wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm
You might have some dependencies to install, like
yum install gamin-python wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm
These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org
installation tips
If you get the error: centos "No package fail2ban available" it is because, as of this writing, CentOS doesn't provide fail2ban. There are a couple ways to get it anyway. I recommend the rpm method mentioned above. Didn't you see it before getting this far?
Old Dovecot versions: If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.
configuration
General Configuration
The initial configuration folder should look like something like this:
config/ |-- action.d | |-- dummy.conf | |-- foo.conf | |-- hostsdeny.conf | |-- iptables.conf | |-- mail-whois.conf | `-- mail.conf |-- fail2ban.conf |-- filter.d | |-- apache-auth.conf | |-- sshd.conf | `-- vsftpd.conf `-- jail.conf
Configuration for Postfix and Dovecot
See Block SMTP Authentication Attacks With Fail2Ban or Brute Force Dictionary Attack on Dovecot for details and example configurations for Postfix / Dovecot / SASL
Configuration for SSH
Open up the thefail2ban configuration file:
vi ./fail2ban/jail.local
Configure the SSH tables section
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=[email protected]]
logpath = /var/log/secure
maxretry = 5
Configuration for Apache2 Web Server
You must edit the jail.local file.
vi ./fail2ban/jail.local
Parameters
[apache] enabled = true [apache-noscript] enabled = true [apache-overflows] enabled = true
parameters
Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action,
./fail2ban/action.d/iptables.conf
log path refers to the log location that fail2ban will track.
How long to ban an attacker?
Ban Jailed ip addresses nearly permanently -
resources
 Learn more... |
