Gr0x0rd: /* Installing fail2ban */

2011-05-09T17:02:07Z

Installing fail2ban

Gr0x0rd: Created page with "== Installing fail2ban == Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that yo..."

2011-05-09T17:01:15Z

Created page with "== Installing fail2ban == Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that yo..."

New page

== Installing fail2ban ==

Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that your ''/etc/portage/package.use'' or ''make.conf'' has the '''threads''' use flag set for ''dev-lang/python''. You'll may need to re-emerge python with the threads use flag if it wasn't built with it before.

When you are ready, emerge fail2ban.
'''$''' sudo emerge -av fail2ban
To configure fail2ban, start by creating local config files.
'''$''' sudo nano -w /etc/fail2ban/fail2ban.local
Add the follwoing line which will recreate the socket if the system crashes or loses power:
[Definition]
FAIL2BAN_OPTIONS="-x"
Save the file. Now create your own jail file:
'''$''' sudo nano -w /etc/fail2ban/jail.local
Use the following example to configure your jail.
<pre>
[ssh-iptables]

enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@yourserver]
logpath = /var/log/messages
maxretry = 10
bantime = -1

[pure-ftpd-iptables]

enabled = true
filter = pure-ftpd
action = iptables-allports[name=Pure-FTPD, protocol=all]
sendmail-whois[name=Pure-FTPD, dest=your@email.com, sender=fail2ban@yourserver]
logpath = /var/log/messages
maxretry = 5
bantime = -1
</pre>
Make sure you have set your@email.com and yourserver to the appropriate values. If you want to impose a time limit on the bans, uncomment the bantime fields.
close and save the file. Now we will set the parameters for pure-ftpd.
'''$''' sudo nano -w /etc/fail2ban/filter.d/pure-ftpd.local
Use the following example to configure your ftp server sercurity.
<pre>
[Definition]
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
</pre>
If you want to disable notification when the service stops or starts
'''$''' sudo nano -w /etc/fail2ban/action.d/sendmail-whois.local
<pre>
[Definition]

actionstart =
actionstop =
actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
IP=<ip>
if [ ! -z "$ADDRESSES" ]; then
(printf %%b "Subject: [Fail2Ban] <name>: Abuse from <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> <sender> $ADDRESSES <mailargs>
fi

[Init]
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
logpath = /var/log/messages
mailcmd = /usr/sbin/sendmail -f
mailargs = -c gr0x0rd@shaw.ca
</pre>
Start the service and add it to startup.
'''$''' sudo /etc/init.d/fail2ban start
'''$''' sudo rc-update add fail2ban default

@@ Line 62: / Line 62: @@
 logpath = /var/log/messages
 mailcmd = /usr/sbin/sendmail -f
-mailargs = -c gr0x0rd@shaw.ca
+mailargs = -c youremail@host.ext
 </pre>
 Start the service and add it to startup.
   '''$''' sudo /etc/init.d/fail2ban start
   '''$''' sudo rc-update add fail2ban default

Fail2ban - Revision history

Gr0x0rd: /* Installing fail2ban */

Gr0x0rd: Created page with "== Installing fail2ban == Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that yo..."