Fail2ban

Description

While each server environment is unique and has its own set of demands based on what’s being hosted on it and who needs access to it, there are some basic things like Fail2ban which are in the standard toolset for anyone concerned with security.

Fail2ban scans log files (e.g. /var/log/httpd/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (Apache httpd, postfix, courier, ssh, etc).

1. Add the EPEL Yum software repository.

C6: rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
C7: rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install fail2ban

2. View global configuration, look at defaults and enable sshd jail (next step). Other jails can also be enabled here that apply to you.

nano /etc/fail2ban/jail.conf

[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 5

1 2 3 4

[DEFAULT] ignoreip = 127.0.0.1/8 bantime  = 600 maxretry = 5

3. Setup an sshd jail to catch failed attempts to subvert the system and login.

nano /etc/fail2ban/jail.local

[sshd] enabled = true filter = sshd logpath = /var/log/secure findtime = 3600 bantime = 99999999999999999999999999999999999999999999999 maxretry = 3 port = 12121 logpath = %(sshd_log)s banaction = iptables-allports

1 2 3 4 5 6 7 8 9 10

[sshd] enabled = true filter = sshd logpath = /var/log/secure findtime = 3600 bantime = 99999999999999999999999999999999999999999999999 maxretry = 3 port    = 12121 logpath = %(sshd_log)s banaction = iptables-allports

4. Setup a WodPress jail to catch failed attempts to subvert the system.

nano /etc/fail2ban/jail.local

[wordpress] enabled = true filter = wordpress logpath = /var/log/secure findtime = 3600 bantime = 99999999999999999999999999999999999999999999999 action = iptables-multiport[name=wordpress,port="80,443"]

1 2 3 4 5 6 7

[wordpress] enabled = true filter = wordpress logpath = /var/log/secure findtime = 3600 bantime = 99999999999999999999999999999999999999999999999 action = iptables-multiport[name=wordpress,port="80,443"]

5. Setup a rule/pattern to disable access to /xmlrpc.php and other failed attempts to subvert the system. Take a look at other filters that come pre-configured in /etc/fail2ban/filter.d/

nano /etc/filter.d/wordpress.conf

# Fail2Ban filter for wordpress # [INCLUDES] before = common.conf [Definition] _daemon = wordpress failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sPingback error .* generated from <HOST>$ ignoreregex = # Author: John Doe

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# Fail2Ban filter for wordpress #   [INCLUDES]   before = common.conf   [Definition]   _daemon = wordpress   failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$             ^%(__prefix_line)sPingback error .* generated from <HOST>$   ignoreregex =   # Author: John Doe

6. Start fail2ban service

systemctl start fail2ban.service

7. Enable the fail2ban service to start on system boot

systemctl enable fail2ban

Troubleshooting & Testing

• Check the status of the fail2ban service

systemctl status fail2ban.service

• Verify where the sshd jail is listening for failed attempts to gain entry to the system.

netstat -tulnp

• View SELinux system messages

journalctl -lfu fail2ban

• Build an SELinux policy module to deal with blocked access or behaviour you want to allow, where “mypol” is the name you want to call your new policy module.

grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

Disclaimer

We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net