[CentOS] Fail2Ban

Mon Mar 2 02:04:42 UTC 2009
John Hinton <webmaster at ew3d.com>

Agile Aspect wrote:
> John Hinton wrote:
>   
>> Agile Aspect wrote:
>>   
>>     
>>> Devraj Mukherjee wrote:
>>>   
>>>     
>>>       
>>>> Hi all,
>>>>
>>>> I am trying to get fail2ban going on my server and its log message
>>>> reports the following error
>>>>
>>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q
>>>> fail2ban-SSH' returned 256
>>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh
>>>> -j fail2ban-SSH
>>>>
>>>> Is this because of the way the RedHat tool sets up the firewall?
>>>>
>>>> Thanks for any responses.
>>>>
>>>>   
>>>>     
>>>>       
>>>>         
>>> First, have you installed iptables, shorewall, and tcp-wrappers
>>> installed?
>>>
>>> Second, have you tried the failed grep expression, i.e., have
>>> you tried
>>>
>>>           iptables -L INPUT | grep -q fail2ban-SSH
>>>
>>> As to why this would fail, you need to ask on the fail2ban
>>> mailing list since evidently this appears to be part of the
>>> installation.
>>>
>>> The iptables can be setup by anyone - RedHat simply provides
>>> a default set of rules.
>>>
>>>   
>>>     
>>>       
>> Actually, it is a rather OS dependent package and the rules for CentOS 
>> are difficult to write. That really doesn't belong on the fail2ban list 
>> either.
>>   
>>     
> Please post the iptable rule which you is believe is OS dependent.
>
>   
>> You don't need shorewall, just the standard CentOS firewall works fine. 
>>   
>>     
> It depends upon what the OP installed. The fail2ban web page
> recommends shorewall be installed - so there's a chance the OP
> installed it.
>
>   
First, I installed the RPM from dag. Some of it was set to go out of the 
box. Seems like I didn't need to do anything for SSH rules to work 
besides turning it on. Seems like VSFTP was pretty close. Dovecot was a 
write I think I might have done... or a major rewrite. Also, as there 
are differences between CentOS 3, 4 and 5... I'd also need to know which 
version you're running.

This really is a great tool. It is not easy to create rules. I was 
actually thinking that a CentOS fail2ban wiki or something might be 
nice. If it were divided into separate versions, we could share rules 
there. It took me about 3 or 4 hours to write and test just one. But 
again, I'm really slow at RegEx.

I keep seeing more attacks on just about every service available. 
Dovecot logins being the latest. VSFTP gets hit pretty hard... SSH gets 
pounded. But, using this also as a spam filter is also another good use. 
On one of my servers with moderate email traffic, it is banning about 
150 IP address per hour based just on multiple Spamhaus rejects. That's 
a lot of load reduction right there. Now, if I could start pulling out 
stuff from SpamAssassin rejects... that could drop our loads by a huge 
amount. Over time, it might even reduce the number of attempts... if 
they do any purging of old email addresses.

John Hinton