Mainos / Advertisement:

Fail2ban

From Taisto
Jump to navigation Jump to search
This page is a translated version of the page Fail2ban and the translation is 100% complete.

Other languages:
English • ‎suomi

Fail2ban helps you to protect yourself from brute force attacks coming from a single IP-address by monitoring the log files on your server. Fail2ban can be used - for example - to prevent logging in after a set amount of failed login attempts.

You can get different kinds of filters for Fail2ban which work for instance with Apache, Dovecot, Postfix and SSH.

The problem with Fail2ban is that it does not support IPv6 addresses and does not protect well against distributed brute force attacks.


Installation

Debian / Ubuntu

 aptitude install fail2ban

OR

 apt-get install fail2ban

Red Hat / CentOS / Fedora

Download installation package

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install with the command

 yum install fail2ban

Configuration

Open /etc/fail2ban/jail.conf

 nano /etc/fail2ban/jail.conf

Default settings:

ignoreip = IP-addresses which bypass the filters

bantime = Determines how long an address is kept on the ban list, default is 600 seconds

findtime = Blocks an IP-address if it has failed to login three times consecutively within the set time, findtime

maxretry = How many attempts an address is allowed until it is blocked


Example configuration:

[DEFAULT]

 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = 127.0.0.1 192.168.1.1
 bantime  = 600
 maxretry = 3
 
 # "backend" specifies the backend used to get files modification. Available
 # options are "gamin", "polling" and "auto


This configuration excludes the IP-addresses 192.168.1.1 and 172.0.0.1 (=localhost) from the ban list. Maximum 3 login attempts allowed until address is placed on a 600 second ban list.

And the SSH configuration:

[ssh]                                      # fail2ban-ssh = filter name
 
enabled  = true                            # is filter in use? options are true and false
port     = ssh                             # port which can be used for ssh for example port 22
filter   = sshd                            # type of filter. filters can be found from the /etc/fail2ban/filter.d/ directory
logpath  = /var/log/auth.log               # location of logs
maxretry = 6                               # how many attempts are allowed

Example configurations:

Apache

 [apache]
 
 enabled  = true
 port     = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 # default action is now multiport, so apache-multiport jail was left
 # for compatibility with previous (<0.7.6-2) releases
 [apache-multiport]
 
 enabled   = true
 port      = http,https
 filter    = apache-auth
 logpath   = /var/log/apache*/*error.log
 maxretry  = 6
 [apache-noscript]
 
 enabled  = true
 port     = http,https
 filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 [apache-overflows]
 
 enabled  = true
 port     = http,https
 filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2


SSH

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

By default SSH allows 6 attempts when trying to form a connection, we recommend limiting it to 3 attempts.

port = ssh must be changed if you have changed the SSH default port in the /etc/ssh/sshd.config file.

Proftpd

 [proftpd]
 enabled  = true
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 3

Postfix

 [postfix]
 
 enabled  = true
 port     = smtp,ssmtp
 filter   = postfix
 logpath  = /var/log/mail.log
 [sasl]
 
 enabled  = true
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = /var/log/mail.log
 [dovecot]
 
 enabled = true
 port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter  = dovecot
 logpath = /var/log/mail.log

Log File

Fail2ban checks the ban list from the fail2ban log, which can be found under the path /var/log/fail2ban.log

 nano /var/log/fail2ban.log


In this file you can see all the logs and attempts made trying to connect to your server.


Example log:


 2014-05-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116
 2014-05-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100
 2014-05-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116
 2014-05-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100
 2014-05-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164
 2014-05-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164

Related info

Iptables

Additional information

https://www.omaserveri.info/suojaa-ssh-yhteytesi-brute-force-hyokkayksilta/ (Finnish)

Sources

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6

Mainos / Advertisement: