Fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs selected with regex ( e.g. show the malicious signs/ packets -- too many password failures, seeking for exploits, etc.) Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
For more info refer to the official web site
How to install Fail2ban.
Enable Epel repository first:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
Enable the remi repository.
Open the file /etc/yum.repos.d/remi.repo and set enable=1 in remi section of the file.
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch #baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/ mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi failovermethod=priority
Now install Fail2ban:
yum install fail2ban
Set Fail2ban to start at boot
chkconfig fail2ban on
Copy config file to keep the original backup.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we have a working config file /etc/fail2ban/jail.local, configure it according to your needs.
In /etc/fail2ban/fail2ban.conf you able to select fail2ban log level , log path etc. Here is the default config:
[Definition] loglevel = 3 logtarget = SYSLOG # the fail2ban will write log into /var/log/messages if on Centos socket = /var/run/fail2ban/fail2ban.sock pidfile = /var/run/fail2ban/fail2ban.pid
Start service
service fail2ban start
Now you have working Fail2ban server. To display banned hosts, enter:
iptables -L -n -v
To unlock IP, enter
iptables -D fail2ban-ssh 1
Configure
- SSH
By default fail2ban configured to block ip after several ssh failed authentication.
You need only to provide the correct path to the ssh log (in centos by default it /var/log/secure) You can find this rule in /etc/fail2ban/jail.local config file:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
- APACHE HTTP
Lets configure fail2ban to block DDoS on httpd 80 and 443 ports. It;s also possible to configure the ip ban in case of "N" failed httpd logons (we do not showing it coz it quite simple -just enable it in config)
Add these lines to /etc/fail2ban/jail.local:
[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/www/vhost.d/example.com/yoursite-access_log #provide correct apache access log path! maxretry = 60 # max amount of retries findtime = 120 # in max amount of seconds. 60 retries in 120 seconds from 1 unique IP = ban hammer. bantime = 6000 # for 6,000 seconds or 10 minutes. action = iptables[name=HTTP, port=http, protocol=tcp] iptables[name=HTTPS, port=https, protocol=tcp] sendmail-whois-withline[name=httpd-get-dos, dest=yourname@yourdomain, logpath=/var/log/httpd/yoursite-access_log] # sets iptables variables.
Create the new file /etc/fail2ban/filter.d/http-get-dos.conf and put the next config lines inside:
# Fail2Ban configuration file # # Author: http://www.go2linux.org # [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. #failregex = ^ -.*GET failregex = ^<HOST> -.*"(GET|POST).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Restart fail2ban
service fail2ban restart
Check status
service fail2ban status fail2ban-server (pid 2104) is running... Status |- Number of jail: 2
` - Jail list: http-get-dos, ssh-iptables
- NGINX
Nginx can block DDoS like attempt by itself. Refer to the nginx guide. Anyway here ios the example for nginx: Add to /etc/fail2ban/jail.local
[nginx-req-limit] enabled = true filter = nginx-req-limit action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] logpath = /var/log/nginx/*error.log #check the correct path to logfile! findtime = 600 bantime = 7200 maxretry = 10
The filter should be the next /etc/fail2ban/filter.d/nginx-req-limit.conf
# Fail2Ban configuration file # # supports: ngx_http_limit_req_module module [Definition] failregex = limiting requests, excess:.* by zone.*client: <HOST> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Remember to restart fail2ban if some config file was modified to apply settings.
Also it;s possible to enable nginx-http-auth rule. Just modify the /etc/fail2ban/jail.local config
- DOVECOT AUTH ATTEMPTS ban
Just set "enabled" to "true" in /etc/fail2ban/jail.local config file and remember to specify correct path to the maillog
# dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] logpath = /var/log/maillog
- EXIM
The mostly similar. You can specify few ports and sure - correct path to the logfile. Find and esdit this lines in /etc/fail2ban/jail.local:
[exim] enabled = true filter = exim action = iptables-multiport[name=exim,port="25,465,587"] logpath = /var/log/exim_rejectlog #/var/log/exim/mainlog
________________ Miscelanous
You can see the detailed status for specified rule, like this:
fail2ban-client status nginx-req-limit
fail2ban-client -d