Tonight I added fail2ban to one of my webservers to test it out. Here is my step by step, as best as I could figure it out...documentation a bit sketchy.
feel free to add anything to it or suggest changes.
I tried to set it up to deal with ssh, http authentication, dovecot, ftp, and postfix
I could find no working example for centos 6 and there is no fail2ban book available to peruse. So, just winging it....
I used the EPEL repo and it needed the following packages to work correctly I do not use priorities, but I add things by using includepkgs= in the repo file. fail2ban shorewall python-inotify gamin-python
(logging) although fail2ban adds a logrotate file for fail2ban.log, it logs everything to the /var/log/messages file so I changed /etc/fail2ban/fal2ban.conf line 25 logtarget = /var/log/fail2ban.log Perhaps overlooked by the rpm developer?
/etc.fail2ban/jail.conf
In all sections I commented out the mailto section since it just sends a ton of mails when start/stopped...yikes. Not sure if there is a setting only for errors or actions...but the start/stop mails are too annoying. Will use logwatch daily to check on it.
line 16, added a space then my server ip address 123.123.123.123 (example ip address, not real) ignoreip = 127.0.0.1 123.456.789.123
SSH section line 48 enabled=true line 50, changed to my port number commented out the mailto section
sasl section (for postfix) line 68 enabled=true backend = polling (I left this but have no idea if I should or not) line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] this blocks all mail ports when someone tries and fails at least I think it does....? :)
Apache (this was tough since many online sources says it will not work, but will test and see) [apache-tcpwrapper] enabled = true filter = apache-auth action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] logpath = /var/log/httpd/*error_log maxretry = 4 Several docs suggest tcpwrapper and centos are a no go, and that this will not work...trying it anyway All the http stuff is not set up for centos, its default is to look for /var/log/apache so this was not set up at all by the rpm dev...at least not the working examples in the jail.conf file.
added this to the bottom (and a new file must be created to work with it) [Dovecot] enabled = true filter = dovecot maxretry = 5 action = iptables-multiport[name=DOVECOT, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog (again, I added all mail ports in case of a hacker)
New file added /etc/fail2ban/filter.d/ new file dovecot.conf
[Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT #
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed).*rip=(?P<host>\S*),.*
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart)
On 4/20/2012 2:02 AM, Bob Hoffman wrote:
/etc.fail2ban/jail.conf
commented out the mailto section
port="25,465,993,995", protocol=tcp]
action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]
service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart) _______________________________________________
if I could add something, definitely put ports, if numbers, in quotes...without quotes I got some errors in the logs port=ftp, no quotes.....port="2222" quotes
and I added one for vsftp, I use port 5000
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port="5000", protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
On 4/20/2012 2:24 AM, Bob Hoffman wrote:
if I could add something, definitely put ports, if numbers, in quotes...without quotes I got some errors in the logs port=ftp, no quotes.....port="2222" quotes
and I added one for vsftp, I use port 5000
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port="5000", protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
my final add on this tonight..
due to the older versions of 'whatever' centos uses, there will be errors on startup of fail2ban regarding multiport jails. To avoid these errors it was suggested to add a sleep mechanism to the start up commands in the proper file.
/etc/fail2ban/action.d/iptables-mutliport.conf
added a sleep line sleep `perl -e 'print rand(3);'` to line 14 and dropped everything down one line to make room for it
actionstart = sleep `perl -e 'print rand(3);'` iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
Am 20.04.2012 08:02, schrieb Bob Hoffman:
/etc.fail2ban/jail.conf
In all sections I commented out the mailto section [...]
I don't use mailto either. It's just not manageable if you have more than a very small number of machines.
line 16, added a space then my server ip address 123.123.123.123 (example ip address, not real) ignoreip = 127.0.0.1 123.456.789.123
I never felt a need for that. OTOH, in the typical configuration for machines in my DMZ, I always add my entire internal network here, eg.
ignoreip = 127.0.0.1 10.0.0.0/16
SSH section
[...]
sasl section
[...]
line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] this blocks all mail ports when someone tries and fails
[...]
Apache
[...]
action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]
I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that.
service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart)
I don't think you have to. I never do, and it works fine anyway.
HTH Tilman
On 4/20/2012 9:25 AM, Tilman Schmidt wrote:
Am 20.04.2012 08:02, schrieb Bob Hoffman: ction = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that.
service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart)
I don't think you have to. I never do, and it works fine anyway.
U will try the 'all ports' for sure, that was what I wanted. Logwatch, as it comes with centos, does not have any scripts at all for fail2ban, mine were pretty devoid of anything I added the 7.4 stuff and am playing with it now. I have seen no logging yet of any attempts nor do I know any way of seeing if it works. will post final solution if I ever see it working.
On 4/20/2012 9:25 AM, Tilman Schmidt wrote:
I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that
there was no information about 'allports' on any official fail2ban docs... as to the one time it would be an issue is when you try to test it out from your home IP and ban yourself from your entire server :)
oops, well, at least it is working for ssh...