Sunday , 21 September 2014
HomeSecurityFail2ban

Fail2ban

This howto will help you install and configure Fail2ban on Fedora or Centos. Fail2ban is a daemon that uses python scripts to parse log files for system intrusion attempts and adds custom iptables rules defined by you in the configuration file to ban access to certain ip addresses.

Applicable to Centos Versions:

  • Centos 5.x
  • Centos 6.x

Requirements

Explanation of requirements.

  1. Root access to the system
  2. Working Internet connection

Doing the Work

Basic description of what will be done and what is expected.

  1. Install and configure EPEL and Fail2ban:
  2. Click the EPEL link for more verbose instructions or give this command:
    su -c "http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm"
    Then:
    yum install fail2ban
  3. Secure SSH:
  4. You should follow the securinng SSH howto before configuring Fail2ban as most attacks on the system will be attempting to gain access to your system via SSH. Pay close attention to things such as not allowing root logins, max retry attempts, and use of ssh keys. You can use sudo or (su -) to gain root access once logged into the system as a normal user.
  5. Edit the jail.conf to configure it for your needs:
  6. The configuration file is located in: /etc/fail2ban/jail.conf You can use a text editor such as vi or nano to edit the file. Comments have been added to better help you understand the options.
    
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 747 $
    #
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    [DEFAULT]
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1 #Add another ignoreip directive here and put your ip if it doesn't change. #This will prevent you from banning yourself by accident. # "bantime" is the number of seconds that a host is banned. bantime = 600 bantime = 99999999999999999999999999999999999999999999999 #This effectively sets the ban infintely. Adjust to your needs. The default is 10 minutes, or 600 seconds. # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 It's ok to leave this at 3, for more security or if you use keys only, set it to 1. A setting of one will ban anyone who attempts to login without a key. # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=user@example.com, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 #This is the most popular/necessary chain, set your email destination and sender here. #This will notify you when a user is added/banned in this chain. dest= is your email #address, sender= is the address the email comes from for filtering purposes. [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@mail.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 # This jail forces the backend to "polling". [sasl-iptables] enabled = false filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@mail.com] logpath = /var/log/mail.log # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=you@mail.com] ignoreregex = for myuser from logpath = /var/log/sshd.log # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line. [apache-tcpwrapper] enabled = false
    filter = apache-auth action = hostsdeny
    logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. [postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/postfix.log bantime = 300 # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Same as above but with banning the IP address. [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 # Use shorewall instead of iptables. [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') # This jail would block the IP 1.2.3.4. [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too. [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@mail.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. [named-refused-udp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] sendmail-whois[name=Named, dest=you@mail.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@mail.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1
  7. Set Fail2ban to start on boot and start the service right now:
  8. chkconfig --level 23 fail2ban on && service fail2ban start

Troubleshooting / How To Test

Explanation troubleshooting basics and expectations.

  1. Restart IPtables, Fail2ban and check the status of the Fail2ban install:
  2. service iptables restart && service iptables status
  3. Remove a ban from the Fail2ban SSH chain (change IP address):
  4. su -c "iptables -D fail2ban-SSH -s 192.168.1.0 -j DROP"

Common Problems & Fixes

Describe common problems here, include links to known common problems if on another site

More Information

Any additional information or notes.

Disclaimer

We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net

Added Reading