Tonight I added fail2ban to one of my webservers to test it out.
Here is my step by step, as best as I could figure it
out...documentation a bit sketchy.
feel free to add anything to it or suggest changes.
I tried to set it up to deal with ssh, http authentication, dovecot,
ftp, and postfix
I could find no working example for centos 6 and there is no fail2ban
book available to peruse.
So, just winging it....
I used the EPEL repo and it needed the following packages to work correctly
I do not use priorities, but I add things by using includepkgs= in the
repo file.
fail2ban shorewall python-inotify gamin-python
(logging)
although fail2ban adds a logrotate file for fail2ban.log, it logs
everything to the /var/log/messages file
so I changed
/etc/fail2ban/fal2ban.conf
line 25 logtarget = /var/log/fail2ban.log
Perhaps overlooked by the rpm developer?
/etc.fail2ban/jail.conf
In all sections I commented out the mailto section since it just sends a
ton of mails when start/stopped...yikes.
Not sure if there is a setting only for errors or actions...but the
start/stop mails are too annoying. Will use logwatch
daily to check on it.
line 16, added a space then my server ip address 123.123.123.123
(example ip address, not real)
ignoreip = 127.0.0.1 123.456.789.123
SSH section
line 48 enabled=true
line 50, changed to my port number
commented out the mailto section
sasl section
(for postfix)
line 68 enabled=true
backend = polling (I left this but have no idea if I should or not)
line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX,
port="25,465,993,995", protocol=tcp]
this blocks all mail ports when someone tries and fails
at least I think it does....? :)
Apache
(this was tough since many online sources says it will not work, but
will test and see)
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp]
logpath = /var/log/httpd/*error_log
maxretry = 4
Several docs suggest tcpwrapper and centos are a no go, and that this
will not work...trying it anyway
All the http stuff is not set up for centos, its default is to look for
/var/log/apache so this was not set
up at all by the rpm dev...at least not the working examples in the
jail.conf file.
added this to the bottom (and a new file must be created to work with it)
[Dovecot]
enabled = true
filter = dovecot
maxretry = 5
action = iptables-multiport[name=DOVECOT, port="25,465,993,995",
protocol=tcp]
logpath = /var/log/maillog
(again, I added all mail ports in case of a hacker)
New file added
/etc/fail2ban/filter.d/
new file dovecot.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
service fail2ban start
chkconfig fail2ban on
service iptables restart (not sure if you have to or not with each
fail2ban restart)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
