Difference between revisions of "Fail2ban"
(Created page with "== Installing fail2ban == Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that yo...") |
|||
| Line 62: | Line 62: | ||
logpath = /var/log/messages | logpath = /var/log/messages | ||
mailcmd = /usr/sbin/sendmail -f | mailcmd = /usr/sbin/sendmail -f | ||
| − | mailargs = -c | + | mailargs = -c youremail@host.ext |
</pre> | </pre> | ||
Start the service and add it to startup. | Start the service and add it to startup. | ||
'''$''' sudo /etc/init.d/fail2ban start | '''$''' sudo /etc/init.d/fail2ban start | ||
'''$''' sudo rc-update add fail2ban default | '''$''' sudo rc-update add fail2ban default | ||
Latest revision as of 10:02, 9 May 2011
Installing fail2ban
Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that your /etc/portage/package.use or make.conf has the threads use flag set for dev-lang/python. You'll may need to re-emerge python with the threads use flag if it wasn't built with it before.
When you are ready, emerge fail2ban.
$ sudo emerge -av fail2ban
To configure fail2ban, start by creating local config files.
$ sudo nano -w /etc/fail2ban/fail2ban.local
Add the follwoing line which will recreate the socket if the system crashes or loses power:
[Definition] FAIL2BAN_OPTIONS="-x"
Save the file. Now create your own jail file:
$ sudo nano -w /etc/fail2ban/jail.local
Use the following example to configure your jail.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@yourserver]
logpath = /var/log/messages
maxretry = 10
bantime = -1
[pure-ftpd-iptables]
enabled = true
filter = pure-ftpd
action = iptables-allports[name=Pure-FTPD, protocol=all]
sendmail-whois[name=Pure-FTPD, dest=your@email.com, sender=fail2ban@yourserver]
logpath = /var/log/messages
maxretry = 5
bantime = -1
Make sure you have set your@email.com and yourserver to the appropriate values. If you want to impose a time limit on the bans, uncomment the bantime fields. close and save the file. Now we will set the parameters for pure-ftpd.
$ sudo nano -w /etc/fail2ban/filter.d/pure-ftpd.local
Use the following example to configure your ftp server sercurity.
[Definition] failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
If you want to disable notification when the service stops or starts
$ sudo nano -w /etc/fail2ban/action.d/sendmail-whois.local
[Definition]
actionstart =
actionstop =
actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
IP=<ip>
if [ ! -z "$ADDRESSES" ]; then
(printf %%b "Subject: [Fail2Ban] <name>: Abuse from <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> <sender> $ADDRESSES <mailargs>
fi
[Init]
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
logpath = /var/log/messages
mailcmd = /usr/sbin/sendmail -f
mailargs = -c youremail@host.ext
Start the service and add it to startup.
$ sudo /etc/init.d/fail2ban start $ sudo rc-update add fail2ban default