[CentOS] Fail2Ban

Tue Mar 3 00:12:11 UTC 2009
Thomas Dukes <tdukes at sc.rr.com>

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of John Hinton
> Sent: Sunday, March 01, 2009 9:05 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Fail2Ban
> 
> Agile Aspect wrote:
> > John Hinton wrote:
> >   
> >> Agile Aspect wrote:
> >>   
> >>     
> >>> Devraj Mukherjee wrote:
> >>>   
> >>>     
> >>>       
> >>>> Hi all,
> >>>>
> >>>> I am trying to get fail2ban going on my server and its 
> log message 
> >>>> reports the following error
> >>>>
> >>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q 
> >>>> fail2ban-SSH' returned 256
> >>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport 
> >>>> ssh -j fail2ban-SSH
> >>>>
> >>>> Is this because of the way the RedHat tool sets up the firewall?
> >>>>
> >>>> Thanks for any responses.
> >>>>
> >>>>   
> >>>>     
> >>>>       
> >>>>         
> >>> First, have you installed iptables, shorewall, and tcp-wrappers 
> >>> installed?
> >>>
> >>> Second, have you tried the failed grep expression, i.e., have you 
> >>> tried
> >>>
> >>>           iptables -L INPUT | grep -q fail2ban-SSH
> >>>
> >>> As to why this would fail, you need to ask on the 
> fail2ban mailing 
> >>> list since evidently this appears to be part of the installation.
> >>>
> >>> The iptables can be setup by anyone - RedHat simply provides a 
> >>> default set of rules.
> >>>
> >>>   
> >>>     
> >>>       
> >> Actually, it is a rather OS dependent package and the rules for 
> >> CentOS are difficult to write. That really doesn't belong on the 
> >> fail2ban list either.
> >>   
> >>     
> > Please post the iptable rule which you is believe is OS dependent.
> >
> >   
> >> You don't need shorewall, just the standard CentOS 
> firewall works fine. 
> >>   
> >>     
> > It depends upon what the OP installed. The fail2ban web page 
> > recommends shorewall be installed - so there's a chance the OP 
> > installed it.
> >
> >   
> First, I installed the RPM from dag. Some of it was set to go 
> out of the box. Seems like I didn't need to do anything for 
> SSH rules to work besides turning it on. Seems like VSFTP was 
> pretty close. Dovecot was a write I think I might have 
> done... or a major rewrite. Also, as there are differences 
> between CentOS 3, 4 and 5... I'd also need to know which 
> version you're running.
> 
> This really is a great tool. It is not easy to create rules. 
> I was actually thinking that a CentOS fail2ban wiki or 
> something might be nice. If it were divided into separate 
> versions, we could share rules there. It took me about 3 or 4 
> hours to write and test just one. But again, I'm really slow at RegEx.
> 
> I keep seeing more attacks on just about every service available. 
> Dovecot logins being the latest. VSFTP gets hit pretty 
> hard... SSH gets pounded. But, using this also as a spam 
> filter is also another good use. 
> On one of my servers with moderate email traffic, it is 
> banning about 150 IP address per hour based just on multiple 
> Spamhaus rejects. That's a lot of load reduction right there. 
> Now, if I could start pulling out stuff from SpamAssassin 
> rejects... that could drop our loads by a huge amount. Over 
> time, it might even reduce the number of attempts... if they 
> do any purging of old email addresses.
> 
> John Hinton

I tried to install the rpm from Dag a while back but it complained about
having Shorewall installed.  I have an older version of fail2ban installed
and cannot upgrade due to this.  I use denyhosts also.

I use firestarter to admin my rules.  Could I edit the requirement for
shorewall out of the spec file in the src rpm to get it to work?

Thanks!!