Tonight I added fail2ban to one of my webservers to test it out. Here is my step by step, as best as I could figure it out...documentation a bit sketchy. feel free to add anything to it or suggest changes. I tried to set it up to deal with ssh, http authentication, dovecot, ftp, and postfix I could find no working example for centos 6 and there is no fail2ban book available to peruse. So, just winging it.... I used the EPEL repo and it needed the following packages to work correctly I do not use priorities, but I add things by using includepkgs= in the repo file. fail2ban shorewall python-inotify gamin-python (logging) although fail2ban adds a logrotate file for fail2ban.log, it logs everything to the /var/log/messages file so I changed /etc/fail2ban/fal2ban.conf line 25 logtarget = /var/log/fail2ban.log Perhaps overlooked by the rpm developer? /etc.fail2ban/jail.conf In all sections I commented out the mailto section since it just sends a ton of mails when start/stopped...yikes. Not sure if there is a setting only for errors or actions...but the start/stop mails are too annoying. Will use logwatch daily to check on it. line 16, added a space then my server ip address 123.123.123.123 (example ip address, not real) ignoreip = 127.0.0.1 123.456.789.123 SSH section line 48 enabled=true line 50, changed to my port number commented out the mailto section sasl section (for postfix) line 68 enabled=true backend = polling (I left this but have no idea if I should or not) line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] this blocks all mail ports when someone tries and fails at least I think it does....? :) Apache (this was tough since many online sources says it will not work, but will test and see) [apache-tcpwrapper] enabled = true filter = apache-auth action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] logpath = /var/log/httpd/*error_log maxretry = 4 Several docs suggest tcpwrapper and centos are a no go, and that this will not work...trying it anyway All the http stuff is not set up for centos, its default is to look for /var/log/apache so this was not set up at all by the rpm dev...at least not the working examples in the jail.conf file. added this to the bottom (and a new file must be created to work with it) [Dovecot] enabled = true filter = dovecot maxretry = 5 action = iptables-multiport[name=DOVECOT, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog (again, I added all mail ports in case of a hacker) New file added /etc/fail2ban/filter.d/ new file dovecot.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT # failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart)
On 4/20/2012 2:02 AM, Bob Hoffman wrote:> > /etc.fail2ban/jail.conf > > commented out the mailto section > > > > port="25,465,993,995", protocol=tcp] > > action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] > > > service fail2ban start > chkconfig fail2ban on > service iptables restart (not sure if you have to or not with each > fail2ban restart) > _______________________________________________ >if I could add something, definitely put ports, if numbers, in quotes...without quotes I got some errors in the logs port=ftp, no quotes.....port="2222" quotes and I added one for vsftp, I use port 5000 [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port="5000", protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
Tilman Schmidt
2012-Apr-20 13:25 UTC
[CentOS] fail2ban attempt, anyone want to add anything?
Am 20.04.2012 08:02, schrieb Bob Hoffman:> /etc.fail2ban/jail.conf> In all sections I commented out the mailto section [...]I don't use mailto either. It's just not manageable if you have more than a very small number of machines.> line 16, added a space then my server ip address 123.123.123.123 > (example ip address, not real) > ignoreip = 127.0.0.1 123.456.789.123I never felt a need for that. OTOH, in the typical configuration for machines in my DMZ, I always add my entire internal network here, eg. ignoreip = 127.0.0.1 10.0.0.0/16> SSH section[...]> sasl section[...]> line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] > this blocks all mail ports when someone tries and fails[...]> Apache[...]> action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that.> service fail2ban start > chkconfig fail2ban on > service iptables restart (not sure if you have to or not with each > fail2ban restart)I don't think you have to. I never do, and it works fine anyway. HTH Tilman -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany