Fail2Ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
Contents
installation
First, you need to install Fail2Ban. For Redhat/Fedora use yum.
yum install fail2ban
CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.
wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm
You might have some dependencies to install, like
yum install gamin-python wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm
These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org
installation tips
If you get the error: centos "No package fail2ban available" it is because, as of this writing, CentOS doesn't provide fail2ban. There are a couple ways to get it anyway. I recommend the rpm method mentioned above. Didn't you see it before getting this far?
Old Dovecot versions: If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.
configuration
General Configuration
The initial configuration folder should look like something like this:
config/ |-- action.d | |-- dummy.conf | |-- foo.conf | |-- hostsdeny.conf | |-- iptables.conf | |-- mail-whois.conf | `-- mail.conf |-- fail2ban.conf |-- filter.d | |-- apache-auth.conf | |-- sshd.conf | `-- vsftpd.conf `-- jail.conf
- filter : a filter defines a regular expression which must match a pattern corresponding to a log-in failure or any other * expression
- action : an action defines several commands which are executed at different moments
- jail : a jail is a combination of one filter and one or several actions. Fail2ban can handle several jails at the same time
- client : refers to the script fail2ban-client
- server : refers to the script fail2ban-server
Configuration for Postfix and Dovecot
See Block SMTP Authentication Attacks With Fail2Ban or Brute Force Dictionary Attack on Dovecot for details and example configurations for Postfix / Dovecot / SASL
Configuration for SSH
The default configuration for the SSH filter should not require too much changes. You can adapt the regular expression to meet your needs.
Open up the thefail2ban configuration file:
vi ./fail2ban/jail.local
Configure the SSH tables section
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=[email protected]]
logpath = /var/log/secure
maxretry = 5
Configuration for Apache2 Web Server
You must edit the jail.local file.
vi ./fail2ban/jail.local
Parameters
[apache] enabled = true [apache-noscript] enabled = true [apache-overflows] enabled = true
parameters
Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action,
./fail2ban/action.d/iptables.conf
log path refers to the log location that fail2ban will track.
How long to ban an attacker?
Ban Jailed ip addresses nearly permanently -
resources
The most recent official user manual for fail2ban as of this writing:
 Learn more... |
