Difference between revisions of "Fail2ban"
Line 1: | Line 1: | ||
− | Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs | + | Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs selected with regex ( e.g. show the malicious signs/ packets -- too many password failures, seeking for exploits, etc.) Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc). |
For more info refer to the [http://www.fail2ban.org/ official web site]<br/> | For more info refer to the [http://www.fail2ban.org/ official web site]<br/> | ||
How to install Fail2ban. | How to install Fail2ban. | ||
Line 28: | Line 28: | ||
To unlock IP, enter | To unlock IP, enter | ||
iptables -D fail2ban-ssh 1 | iptables -D fail2ban-ssh 1 | ||
+ | |||
+ | |||
+ | '''Configure''' | ||
+ | * By default fail2ban configured to block ip after several ssh failed authentication. | ||
+ | You need only to provide the correct path to the ssh log (in centos by default it /var/log/secure) | ||
+ | You can find this rule in /etc/fail2ban/jail.local config file: | ||
+ | [ssh-iptables] | ||
+ | enabled = true | ||
+ | filter = sshd | ||
+ | action = iptables[name=SSH, port=ssh, protocol=tcp] | ||
+ | sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] | ||
+ | logpath = /var/log/secure | ||
+ | maxretry = 5 | ||
+ | |||
+ | |||
+ | * Lets configure fail2ban to block DDoS on httpd 80 and 443 ports | ||
+ | Add these lines to /etc/fail2ban/jail.local: | ||
+ | |||
+ | [http-get-dos] # name of rule | ||
+ | enabled = true # enabled or disable | ||
+ | port = http,https # 80,443 | ||
+ | filter = http-get-dos # name of filter | ||
+ | logpath = /var/log/www/vhost.d/example.com/yoursite-access_log #apache log path | ||
+ | maxretry = 60 # max amount of retries | ||
+ | findtime = 120 # in max amount of seconds. 60 retries in 120 seconds from 1 unique IP = ban hammer. | ||
+ | bantime = 6000 # for 6,000 seconds or 10 minutes. | ||
+ | action = iptables[name=HTTP, port=http, protocol=tcp] | ||
+ | iptables[name=HTTPS, port=https, protocol=tcp] | ||
+ | sendmail-whois-withline[name=httpd-get-dos, dest=yourname@yourdomain, logpath=/var/log/httpd/yoursite-access_log] # sets iptables variables. | ||
+ | |||
+ | Create the new file /etc/fail2ban/filter.d/http-get-dos.conf and put the next config lines inside: | ||
+ | |||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: http://www.go2linux.org | ||
+ | # | ||
+ | [Definition] | ||
+ | # Option: failregex | ||
+ | # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. | ||
+ | # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. | ||
+ | #failregex = ^ -.*GET | ||
+ | failregex = ^<HOST> -.*"(GET|POST).* | ||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | |||
+ | |||
+ | Restart fail2ban | ||
+ | service fail2ban restart | ||
+ | |||
+ | Check status | ||
+ | service fail2ban status | ||
+ | fail2ban-server (pid 2104) is running... | ||
+ | Status | ||
+ | |- Number of jail: 2 | ||
+ | ` - Jail list: http-get-dos, ssh-iptables | ||
+ | |||
[[Category:linux]] | [[Category:linux]] |
Revision as of 15:53, 15 April 2015
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs selected with regex ( e.g. show the malicious signs/ packets -- too many password failures, seeking for exploits, etc.) Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
For more info refer to the official web site
How to install Fail2ban.
Enable Epel repository first:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
Enable the remi repository.
Open the file /etc/yum.repos.d/remi.repo and set enable=1 in remi section of the file.
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch #baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/ mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi failovermethod=priority
Now install Fail2ban:
yum install fail2ban
Set Fail2ban to start at boot
chkconfig fail2ban on
Copy config file to keep the original backup.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we have a working config file /etc/fail2ban/jail.local, configure it according to your needs.
Start service
service fail2ban start
Now you have working Fail2ban server. To display banned hosts, enter:
iptables -L
To unlock IP, enter
iptables -D fail2ban-ssh 1
Configure
- By default fail2ban configured to block ip after several ssh failed authentication.
You need only to provide the correct path to the ssh log (in centos by default it /var/log/secure) You can find this rule in /etc/fail2ban/jail.local config file:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
- Lets configure fail2ban to block DDoS on httpd 80 and 443 ports
Add these lines to /etc/fail2ban/jail.local:
[http-get-dos] # name of rule enabled = true # enabled or disable port = http,https # 80,443 filter = http-get-dos # name of filter logpath = /var/log/www/vhost.d/example.com/yoursite-access_log #apache log path maxretry = 60 # max amount of retries findtime = 120 # in max amount of seconds. 60 retries in 120 seconds from 1 unique IP = ban hammer. bantime = 6000 # for 6,000 seconds or 10 minutes. action = iptables[name=HTTP, port=http, protocol=tcp] iptables[name=HTTPS, port=https, protocol=tcp] sendmail-whois-withline[name=httpd-get-dos, dest=yourname@yourdomain, logpath=/var/log/httpd/yoursite-access_log] # sets iptables variables.
Create the new file /etc/fail2ban/filter.d/http-get-dos.conf and put the next config lines inside:
# Fail2Ban configuration file # # Author: http://www.go2linux.org # [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. #failregex = ^ -.*GET failregex = ^<HOST> -.*"(GET|POST).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Restart fail2ban
service fail2ban restart
Check status
service fail2ban status fail2ban-server (pid 2104) is running... Status |- Number of jail: 2
` - Jail list: http-get-dos, ssh-iptables