[CentOS] Fail2Ban
John Hinton
webmaster at ew3d.com
Mon Mar 2 02:04:42 UTC 2009
Agile Aspect wrote:
> John Hinton wrote:
>
>> Agile Aspect wrote:
>>
>>
>>> Devraj Mukherjee wrote:
>>>
>>>
>>>
>>>> Hi all,
>>>>
>>>> I am trying to get fail2ban going on my server and its log message
>>>> reports the following error
>>>>
>>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q
>>>> fail2ban-SSH' returned 256
>>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh
>>>> -j fail2ban-SSH
>>>>
>>>> Is this because of the way the RedHat tool sets up the firewall?
>>>>
>>>> Thanks for any responses.
>>>>
>>>>
>>>>
>>>>
>>>>
>>> First, have you installed iptables, shorewall, and tcp-wrappers
>>> installed?
>>>
>>> Second, have you tried the failed grep expression, i.e., have
>>> you tried
>>>
>>> iptables -L INPUT | grep -q fail2ban-SSH
>>>
>>> As to why this would fail, you need to ask on the fail2ban
>>> mailing list since evidently this appears to be part of the
>>> installation.
>>>
>>> The iptables can be setup by anyone - RedHat simply provides
>>> a default set of rules.
>>>
>>>
>>>
>>>
>> Actually, it is a rather OS dependent package and the rules for CentOS
>> are difficult to write. That really doesn't belong on the fail2ban list
>> either.
>>
>>
> Please post the iptable rule which you is believe is OS dependent.
>
>
>> You don't need shorewall, just the standard CentOS firewall works fine.
>>
>>
> It depends upon what the OP installed. The fail2ban web page
> recommends shorewall be installed - so there's a chance the OP
> installed it.
>
>
First, I installed the RPM from dag. Some of it was set to go out of the
box. Seems like I didn't need to do anything for SSH rules to work
besides turning it on. Seems like VSFTP was pretty close. Dovecot was a
write I think I might have done... or a major rewrite. Also, as there
are differences between CentOS 3, 4 and 5... I'd also need to know which
version you're running.
This really is a great tool. It is not easy to create rules. I was
actually thinking that a CentOS fail2ban wiki or something might be
nice. If it were divided into separate versions, we could share rules
there. It took me about 3 or 4 hours to write and test just one. But
again, I'm really slow at RegEx.
I keep seeing more attacks on just about every service available.
Dovecot logins being the latest. VSFTP gets hit pretty hard... SSH gets
pounded. But, using this also as a spam filter is also another good use.
On one of my servers with moderate email traffic, it is banning about
150 IP address per hour based just on multiple Spamhaus rejects. That's
a lot of load reduction right there. Now, if I could start pulling out
stuff from SpamAssassin rejects... that could drop our loads by a huge
amount. Over time, it might even reduce the number of attempts... if
they do any purging of old email addresses.
John Hinton
More information about the CentOS
mailing list