[CentOS] Fail2Ban
Thomas Dukes
tdukes at sc.rr.com
Tue Mar 3 00:12:11 UTC 2009
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of John Hinton
> Sent: Sunday, March 01, 2009 9:05 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Fail2Ban
>
> Agile Aspect wrote:
> > John Hinton wrote:
> >
> >> Agile Aspect wrote:
> >>
> >>
> >>> Devraj Mukherjee wrote:
> >>>
> >>>
> >>>
> >>>> Hi all,
> >>>>
> >>>> I am trying to get fail2ban going on my server and its
> log message
> >>>> reports the following error
> >>>>
> >>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q
> >>>> fail2ban-SSH' returned 256
> >>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport
> >>>> ssh -j fail2ban-SSH
> >>>>
> >>>> Is this because of the way the RedHat tool sets up the firewall?
> >>>>
> >>>> Thanks for any responses.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>> First, have you installed iptables, shorewall, and tcp-wrappers
> >>> installed?
> >>>
> >>> Second, have you tried the failed grep expression, i.e., have you
> >>> tried
> >>>
> >>> iptables -L INPUT | grep -q fail2ban-SSH
> >>>
> >>> As to why this would fail, you need to ask on the
> fail2ban mailing
> >>> list since evidently this appears to be part of the installation.
> >>>
> >>> The iptables can be setup by anyone - RedHat simply provides a
> >>> default set of rules.
> >>>
> >>>
> >>>
> >>>
> >> Actually, it is a rather OS dependent package and the rules for
> >> CentOS are difficult to write. That really doesn't belong on the
> >> fail2ban list either.
> >>
> >>
> > Please post the iptable rule which you is believe is OS dependent.
> >
> >
> >> You don't need shorewall, just the standard CentOS
> firewall works fine.
> >>
> >>
> > It depends upon what the OP installed. The fail2ban web page
> > recommends shorewall be installed - so there's a chance the OP
> > installed it.
> >
> >
> First, I installed the RPM from dag. Some of it was set to go
> out of the box. Seems like I didn't need to do anything for
> SSH rules to work besides turning it on. Seems like VSFTP was
> pretty close. Dovecot was a write I think I might have
> done... or a major rewrite. Also, as there are differences
> between CentOS 3, 4 and 5... I'd also need to know which
> version you're running.
>
> This really is a great tool. It is not easy to create rules.
> I was actually thinking that a CentOS fail2ban wiki or
> something might be nice. If it were divided into separate
> versions, we could share rules there. It took me about 3 or 4
> hours to write and test just one. But again, I'm really slow at RegEx.
>
> I keep seeing more attacks on just about every service available.
> Dovecot logins being the latest. VSFTP gets hit pretty
> hard... SSH gets pounded. But, using this also as a spam
> filter is also another good use.
> On one of my servers with moderate email traffic, it is
> banning about 150 IP address per hour based just on multiple
> Spamhaus rejects. That's a lot of load reduction right there.
> Now, if I could start pulling out stuff from SpamAssassin
> rejects... that could drop our loads by a huge amount. Over
> time, it might even reduce the number of attempts... if they
> do any purging of old email addresses.
>
> John Hinton
I tried to install the rpm from Dag a while back but it complained about
having Shorewall installed. I have an older version of fail2ban installed
and cannot upgrade due to this. I use denyhosts also.
I use firestarter to admin my rules. Could I edit the requirement for
shorewall out of the spec file in the src rpm to get it to work?
Thanks!!
More information about the CentOS
mailing list