[CentOS] fail2ban attempt, anyone want to add anything?

Fri Apr 20 13:25:55 UTC 2012
Tilman Schmidt <t.schmidt at phoenixsoftware.de>

Am 20.04.2012 08:02, schrieb Bob Hoffman:

> /etc.fail2ban/jail.conf

> In all sections I commented out the mailto section [...]

I don't use mailto either. It's just not manageable if you have
more than a very small number of machines.

> line 16, added a space then my server ip address 123.123.123.123 
> (example ip address, not real)
> ignoreip = 127.0.0.1 123.456.789.123

I never felt a need for that.
OTOH, in the typical configuration for machines in my DMZ, I always
add my entire internal network here, eg.

ignoreip = 127.0.0.1 10.0.0.0/16

> SSH section
[...]
> sasl section
[...]
> line 71, 'rewrote it to'  action   = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp]
> this blocks all mail ports when someone tries and fails
[...]
> Apache
[...]
> action   = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]

I prefer action = iptables-allports on all of these, so that a
source address attempting a bruteforce attack on one service is
immediately banned from all services. I can't imagine a scenario
where a machine that got blocked, for example, for attempting to
bruteforce passwords via SMTP AUTH, should be allowed to try via
FTP next. Even password attempts against ssh, which accepts only
public key authentication on all my machines, trigger a block on
all ports. So far I haven't had a single complaint about that.

> service fail2ban start
> chkconfig fail2ban on
> service iptables restart (not sure if you have to or not with each 
> fail2ban restart)

I don't think you have to. I never do, and it works fine anyway.

HTH
Tilman

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany