Fail2ban

From gr0x0rd
Jump to navigation Jump to search

Installing fail2ban

Fail2ban is a wonderful daemon that monitors your log files and bans IP addresses attacking your server using iptables. Before you begin, check that your /etc/portage/package.use or make.conf has the threads use flag set for dev-lang/python. You'll may need to re-emerge python with the threads use flag if it wasn't built with it before.

When you are ready, emerge fail2ban. 

$ sudo emerge -av fail2ban

To configure fail2ban, start by creating local config files. 

$ sudo nano -w /etc/fail2ban/fail2ban.local

Add the follwoing line which will recreate the socket if the system crashes or loses power: 

[Definition]
FAIL2BAN_OPTIONS="-x"

Save the file. Now create your own jail file: 

$ sudo nano -w /etc/fail2ban/jail.local

Use the following example to configure your jail. 

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@yourserver]
logpath  = /var/log/messages
maxretry = 10
bantime = -1

[pure-ftpd-iptables]

enabled  = true
filter   = pure-ftpd
action   = iptables-allports[name=Pure-FTPD, protocol=all]
           sendmail-whois[name=Pure-FTPD, dest=your@email.com, sender=fail2ban@yourserver]
logpath  = /var/log/messages
maxretry = 5
bantime = -1

Make sure you have set your@email.com and yourserver to the appropriate values. If you want to impose a time limit on the bans, uncomment the bantime fields. close and save the file. Now we will set the parameters for pure-ftpd. 

$ sudo nano -w /etc/fail2ban/filter.d/pure-ftpd.local

Use the following example to configure your ftp server sercurity. 

[Definition]
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$

If you want to disable notification when the service stops or starts 

$ sudo nano -w /etc/fail2ban/action.d/sendmail-whois.local

[Definition]

actionstart = 
actionstop = 
actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
	    IP=<ip>
            if [ ! -z "$ADDRESSES" ]; then
                (printf %%b "Subject: [Fail2Ban] <name>: Abuse from <ip>
		        From: Fail2Ban <<sender>>
			To: <dest>\n
			<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> <sender> $ADDRESSES <mailargs>
            fi

[Init]
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
logpath = /var/log/messages
mailcmd = /usr/sbin/sendmail -f 
mailargs = -c youremail@host.ext

Start the service and add it to startup. 

$ sudo /etc/init.d/fail2ban start
$ sudo rc-update add fail2ban default
Retrieved from "http:///index.php?title=Fail2ban&oldid=487"