Here is what I had to do to make fail2ban work with centos 6, fail2ban from epel This is a long letter and no html to make it read better. It deals with failed jails during start, loss of ban/unban after systems logrotates files, errors in jails, sasl errors, logging file correctly to work with fail2ban and logwatch, fail2ban logrotate.
I hope this helps others, it was a real bear and the first program/rpm I used that really does not work very well as set up. (a update was pushed a few weeks back, not sure how this affects anything below...mine still works as is.) Forgive me if I left something out.
first I added these programs to the EPEL repo ( I do not allow any except those I use, so I use the following to limit the repo.)
includepkgs= fail2ban shorewall shorewall-core python-inotify gamin-python
Fail2ban has recently been updated on the epel repo and shorewall-core is now needed too, this is new. How the new updates affects any of the below is beyond me, but I doubt it changed anything.
1st issue ------------------ /etc/fail2ban/jail.conf change line 39 to backend = gamin
Without this fail2ban will ignore log rotations by logrotate and stay on the old file in your jails. This was needed or it failed. No errors, nothing. Force log rotate did not make this happen, only the program running each morning did it. I changed mine to a daily rotate of /var/log/secure,vsftpd.log, etc... to test this. Without gamin it failed every time.
(also you need to add this) line 16 (add your ip (or ip block?) after the 127 ip) Use a space between them all. ignoreip = 127.0.0.1 yourip
2nd issue ------------------- with more than one jail you can (and will) get chances of errors when starting fail2ban. Some people seem to attribute it centos 6 having an older version of netfilter. The program goes to fast for iptables and chokes setting up the chains. Sometimes they all go on, most times I would lose one to two chains during each restart of fail2ban.
You have to have debug with at least 'info' to see these errors. When stopping you will get a ton of these errors too, but they seem to have no effect on anything.
To stop these errors and allow all jails to start properly you have to add a sleep line deep in the code. I have not tested since the update to see if this was overwritten but will do that this week.
/usr/bin/fail2ban-client
Find the following code and add the time.sleep(0.1) in there as I have. You need to press the tab 3 times to indent it, python pays attention to white space, it will choke if you do not do this.
add sleep command into the following, (tab three times) starts at line 142 def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c) try:
This lets netfilter catch up with the fail2ban client and allows all jails to get started properly. If you only use one jail this would not be needed, but each one after that offers a chance of not being turned on.
3rd issue ------------------- The whole log thing is borked. if you try to use fail2ban.log, fail2ban itself will choke on it. If you try to use the repo's set up of using /var/log/messages than logwatch will get borked on it. However, if you set it all to /var/log/fail2ban as the log file, it will work.
No matter which way you want it, logwatch, fail2ban, and logrotate all point to different files for logging and it is a real mess.
Here is what I did to make it log and allow logrotate to work with it.
/etc/fail2ban/fail2ban.conf line 25 logtarget = /var/log/fail2ban
/etc/logrotate.d/fail2ban Below I changed the logtarget and stopped the 'restart' the repo wanted. Thus it will keep running day after day.
/var/log/fail2ban { missingok notifempty rotate 7 create 0600 root root postrotate /usr/bin/fail2ban-client set logtarget /var/log/fail2ban 2> /dev/null || true endscript }
finally for logwatch /usr/share/logwatch/default.conf/logfiles/fail2ban.conf LogFile = fail2ban Archive = fail2ban-*
------------------------------------------------------------------------------------------------------------------ jails I set up...this is gonna be quick with little info, still writing notes for the book on this one I lowered the times in them for this letter, but mine are much higher. I separated the ports for each for testing and safety. You could make all the ports blocked if you wanted too.
The first ssh in the repo is enabled by default I think. Make sure if you use these you check all others to make sure they are not enabled.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port="22444", protocol=tcp] logpath = /var/log/secure maxretry = 2 bantime = 3600
[apache-tcp] enabled = true filter = apache-auth bantime = 10000 action = iptables[name=ApacheAuth, port="80", protocol=tcp] logpath = /var/log/httpd/error_log maxretry = 3
[apache-ssl] enabled = true filter = apache-auth-ssl bantime = 10000 action = iptables[name=ApacheAuthSsl, port="443", protocol=tcp] logpath = /var/log/httpd/ssl_error_log maxretry = 3
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port="5000", protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 3 bantime = 3600
[Dovecot] enabled = true filter = dovecot bantime = 3600 maxretry = 2 action = iptables-multiport[name=DOVECOT, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog
[Postfix] enabled = true filter = postfix maxretry = 2 bantime = 3600 findtime = 3600 action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog [Postfix-sasl] enabled = true filter = sasl maxretry = 4 bantime = 3600 findtime = 3600 action = iptables-multiport[name=POSTFIX-SASL, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog
There was not one for dovecot, so I had to make one.. I do not think it is needed though, but I added it anyway (both go to maillog, but I figured I could do things with the jail later)
Here are some files I had to add to make the above jails work. ##################################### make a new file called dovecot.conf as below /etc/fail2ban/filter.d/dovecot.conf
[Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT #
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed).*rip=(?P<host>\S*),.*
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
####################################
for my apache auth I added this one from someone online too
####################### make a new file /etc/fail2ban/filter.d/apache-auth-ssl.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ #
[Definition]
# Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w-.^_]+) # Values: TEXT # failregex = [[]client <HOST>[]] user .* authentication failure [[]client <HOST>[]] user .* not found [[]client <HOST>[]] user .* password mismatch
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = ###############################
for postfix I had to add somethings to block spam. I had made some errors to default to 550 to lower spam attempts too.
/etc/fail2ban/filter.d/postfix.conf failregex = reject: RCPT from (.*)[<HOST>]: 554 reject: RCPT from (.*)[<HOST>]: 550 reject: RCPT from (.*)[<HOST>]: 504
(still need to add a 501 in there too for invalid names)
############################################# for the sasl/postfix to work properly some changes were made, this is my file. The one that came with the repo will not work. At least it did not work for me.
/etc/fail2ban/filter.d/sasl.conf
this is my file
# Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 728 $ #
[Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w-.^_]+) # Values: TEXT # failregex = (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: Invalid authentication mechanism (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
###################################################
here is my iptables with some things taken out for security...lol
############################################## [root@ ~]# iptables -L -n
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:xx fail2ban-DOVECOT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,993,995 fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,993,995 fail2ban-ApacheAuthSsl tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 fail2ban-ApacheAuth tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22444 fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,993,995 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:xx ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp dpt:xx ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:xx ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:xx:xx REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain fail2ban-ApacheAuth (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ApacheAuthSsl (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-DOVECOT (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-POSTFIX (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-POSTFIX-SASL (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-VSFTPD (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0