fail2ban attempt, anyone want to add anything?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Tonight I added fail2ban to one of my webservers to test it out.
Here is my step by step, as best as I could figure it 
out...documentation a bit sketchy.

feel free to add anything to it or suggest changes.

I tried to set it up to deal with ssh, http authentication, dovecot, 
ftp, and postfix


I could find no working example for centos 6 and there is no fail2ban 
book available to peruse.
So, just winging it....



I used the EPEL repo and it needed the following packages to work correctly
I do not use priorities, but I add things by using includepkgs= in the 
repo file.
fail2ban shorewall python-inotify gamin-python

(logging)
although fail2ban adds a logrotate file for fail2ban.log, it logs 
everything to the /var/log/messages file
so I changed
/etc/fail2ban/fal2ban.conf
line 25 logtarget = /var/log/fail2ban.log
Perhaps overlooked by the rpm developer?


/etc.fail2ban/jail.conf

In all sections I commented out the mailto section since it just sends a 
ton of mails when start/stopped...yikes.
Not sure if there is a setting only for errors or actions...but the 
start/stop mails are too annoying. Will use logwatch
daily to check on it.

line 16, added a space then my server ip address 123.123.123.123 
(example ip address, not real)
ignoreip = 127.0.0.1 123.456.789.123


SSH section
line 48 enabled=true
line 50, changed to my port number
commented out the mailto section


sasl section
(for postfix)
line 68 enabled=true
backend = polling (I left this but have no idea if I should or not)
line 71, 'rewrote it to'  action   = iptables-multiport[name=POSTFIX, 
port="25,465,993,995", protocol=tcp]
this blocks all mail ports when someone tries and fails
at least I think it does....?  :)

Apache
(this was tough since many online sources says it will not work, but 
will test and see)
[apache-tcpwrapper]
enabled  = true
filter     = apache-auth
action   = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]
logpath  = /var/log/httpd/*error_log
maxretry = 4
Several docs suggest tcpwrapper and centos are a no go, and that this 
will not work...trying it anyway
All the http stuff is not set up for centos, its default is to look for 
/var/log/apache so this was not set
up at all by the rpm dev...at least not the working examples in the 
jail.conf file.


added this to the bottom (and a new file must be created to work with it)
[Dovecot]
enabled  = true
filter   = dovecot
maxretry = 5
action   = iptables-multiport[name=DOVECOT, port="25,465,993,995", 
protocol=tcp]
logpath  = /var/log/maillog
(again, I added all mail ports in case of a hacker)


New file added
/etc/fail2ban/filter.d/
  new file dovecot.conf

[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag 
"<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#

failregex = (?: pop3-login|imap-login): (?:Authentication 
failure|Aborted login \(auth failed|Aborted login \(tried to use 
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


service fail2ban start
chkconfig fail2ban on
service iptables restart (not sure if you have to or not with each 
fail2ban restart)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux