Difference between revisions of "Fail2ban"
| (25 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it. | This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it. | ||
| + | |||
| + | Note: In addition to fail2ban, we also use [[denyhosts]]. | ||
| + | |||
| + | = ACTIONS = | ||
| + | |||
| + | Here some things you  may want to do. | ||
| + | |||
| + | == Unbanning == | ||
| + | |||
| + | This will remove a ban. The ban is removed automatically after 10 days. You can find the ips banned with iptables -L -n as well, but | ||
| + | for 0.9 and later, this is easier. | ||
| + | |||
| + | # Check where the ban is.  | ||
| + |    fail2ban-client status            # List jails | ||
| + |    fail2ban-client status sshd   # For sshd list the status, including banned ips. | ||
| + | # Remove the banned IP from jail | ||
| + |    fail2ban-client set sshd unbanip <ip-addr> | ||
| + | |||
| + | == Reloading == | ||
| + | |||
| + | This will reload the config files. Note it will also rescan the logs for the last 10 minutes, you may end up re-banning. | ||
| + | # systemctl restart fail2ban | ||
| + | # fail2ban-client reload            | ||
| + | |||
| = Installing = | = Installing = | ||
| − | #The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum. | + | ; [http://www.fail2ban.org/wiki/index.php/Main_Page Fail2Ban Home page] | 
| − | # | + | |
| − | + | # The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum. | |
| − | #Install fail2ban via yum: <br/><code>yum install fail2ban</code> | + | ## <code>yum install epel-release </code> | 
| + | ## Alternate: download the EPEL repository from UNH epel mirror install RPM:<br/>[http://mirror.sr.unh.edu/epel/5/x86_64/epel-release-5-4.noarch.rpm RHEL 5]<br/>[http://mirror.sr.unh.edu/epel/6/x86_64/epel-release-6-5.noarch.rpm RHEL 6]<br/>[http://mirror.sr.unh.edu/epel/7Server/x86_64/e/epel-release-7-10.noarch.rpm RHEL7Server]<br/>[http://mirror.sr.unh.edu/epel/7/x86_64/e/epel-release-7-10.noarch.rpm RHEL7]<br/>*Install the rpm: <code>rpm -ivh epel-release-<version>.noarch.rpm</code> | ||
| + | #Install fail2ban via yum: <br/><code>yum install fail2ban-all</code> | ||
| + | #systemctl enable fail2ban | ||
| + | #systemctl start fail2ban | ||
| + | |||
| + | = Configuring - > 0.9.0 release = | ||
| + | |||
| + | ; [https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7 Tutorial] useful reading. | ||
| + | |||
| + | To check the configuration: | ||
| + |    fail2ban-client status | ||
| + |    fail2ban-client status ssh | ||
| + | |||
| + | To check the fail2ban logs: | ||
| + |    journalctl -b -u fail2ban | ||
| + | |||
| + | == Defaults == | ||
| + | |||
| + | Got to /etc/fail2ban. You do not edit the jail.conf file. Instead, create a file "jail.local" and put override edits there. | ||
| + | |||
| + | * Enter in jail.local: | ||
| + |  [DEFAULT] | ||
| + |  # We ban for 10*24 hours. You get 5 tries. Per hour. | ||
| + |  bantime = 864000   | ||
| + |  maxretry= 5        | ||
| + |  findtime= 3600     | ||
| + | |||
| + |  # Override /etc/fail2ban/jail.d/00-firewalld.conf: | ||
| + |  # This makes sure fail2ban uses iptables. | ||
| + |  banaction = iptables-unh | ||
| + | |||
| + |  # Ignore the farm too. | ||
| + |  ignoreip = 10.0.0.1/24 | ||
| + | |||
| + |  # Warn me. | ||
| + |  destemail = maurik@physics.unh.edu | ||
| + |  sendername = Fail2Ban@gourd.unh.edu | ||
| + |  mta = sendmail | ||
| + |  action = %(action_mwl)s | ||
| + |  # Do reverse dns lookup | ||
| + |  usedns = yes | ||
| + | |||
| + |  [sshd] | ||
| + |  enabled = true | ||
| + |  chain = INPUT | ||
| + | |||
| + |  [fail2ban] | ||
| + |  enabled = true | ||
| + |  filter = fail2ban | ||
| + |  chain = INPUT | ||
| + |  action = iptables-allports-unh[name=fail2ban] | ||
| + |  logpath = /var/log/fail2ban.log | ||
| + |  maxretry = 3 | ||
| + |  # findtime: 5 days | ||
| + |  findtime = 432000 | ||
| + |  # bantime: FOREVER | ||
| + |  bantime = -1 | ||
| + | |||
| + | * Create a filter.d/fail2ban.conf: | ||
| + |  # Fail2Ban filter for fail2ban | ||
| + |  # | ||
| + |  # If a system is banned too often, ban it permanently. | ||
| + |  # | ||
| + |  # Author: Maurik Holtrop | ||
| + | |||
| + |  [INCLUDES] | ||
| + | |||
| + |  # Read common prefixes. If any customizations available -- read them from | ||
| + |  # common.local | ||
| + |  before = common.conf | ||
| + | |||
| + |  [Definition] | ||
| + | |||
| + |  deamon = fail2ban | ||
| + | |||
| + |  failregex = ^.*: NOTICE *\[.*\] Ban <HOST>$ | ||
| + |  ignoreregex = ^.*: NOTICE *\[fail2ban\] Ban <HOST>$ | ||
| + | |||
| + | You  may also want to copy action.d/iptables-unh.conf, action.d/iptables-allports-unh.conf, and action.d/iptables-multiport-unh.conf from Gourd, which inserts at location 5 instead of at the end, where it has no effect! | ||
| − | = Configuring = | + | == SSH == | 
| + | * Edit /etc/ssh/sshd_config | ||
| + | ** Change: LogLevel VERBOSE | ||
| + | ** Set:  UseDNS no | ||
| + | |||
| + | == EMAIL == | ||
| + | |||
| + | On systems with email services, add this to jail.local: | ||
| + | |||
| + |   [postfix] | ||
| + |   enabled = true | ||
| + | |||
| + |   [dovecot] | ||
| + |   enabled = true | ||
| + | |||
| + | == NAMED == | ||
| + | |||
| + |   [named-refused] | ||
| + |   backend = systemd | ||
| + |   enabled = true | ||
| + | |||
| + | == FAIL2BAN - permanent blacklist == | ||
| + | |||
| + | We can look for systems that were banned multiple times, and permanently blacklist them. The trick is to scan the fail2ban.log file for "ban" and then after a certain number of them in a certain time period, add to a fail2ban list. | ||
| + | |||
| + | Make sure you do a "touch /var/log/fail2ban.log" before starting with this rule for the first time. | ||
| + | |||
| + | To implement, create the file: /etc/fail2ban/filter.d/fail2ban.conf | ||
| + |   # Fail2Ban filter for fail2ban                                                                                                                                                                          | ||
| + |   #                                                                                                                                                                                                       | ||
| + |   # If a system is banned too often, ban it permanently.                                                                                                                                                  | ||
| + |   #                                                                                                                                                                                                       | ||
| + | |||
| + |   [INCLUDES] | ||
| + | |||
| + |   # Read common prefixes. If any customizations available -- read them from                                                                                                                               | ||
| + |   # common.local                                                                                                                                                                                          | ||
| + |   before = common.conf | ||
| + | |||
| + |   [Definition] | ||
| + | |||
| + |   deamon = fail2ban | ||
| + | |||
| + |   failregex = ^.*: NOTICE *\[.*\] Ban <HOST>$ | ||
| + |   ignoreregex = ^.*: NOTICE *\[fail2ban\] Ban <HOST>$ | ||
| + | |||
| + |   # Author: Maurik Holtrop | ||
| + | |||
| + | and add to the jail.local: | ||
| + | |||
| + |   [fail2ban] | ||
| + |   enabled = true | ||
| + |   filter = fail2ban | ||
| + |   action = iptables-allports[name=fail2ban] | ||
| + |   logpath = /var/log/fail2ban.log | ||
| + |   maxretry = 3 | ||
| + |   # findtime: 5 days | ||
| + |   findtime = 432000 | ||
| + |   # bantime: FOREVER | ||
| + |   bantime = -1 | ||
| + | |||
| + | = Configuring Older Versions - 0.8 = | ||
| == SSH == | == SSH == | ||
| *Edit the /etc/fail2ban/jail.conf and change the following settings. | *Edit the /etc/fail2ban/jail.conf and change the following settings. | ||
| Line 20: | Line 184: | ||
|   logpath  = /var/log/secure |   logpath  = /var/log/secure | ||
|   maxretry = 6 |   maxretry = 6 | ||
| + | If you want to have fail2ban check port 80 for sshd service just add these lines below the lines listed above (the ones for checking the standard ssh port) | ||
| + |  [ssh-iptables] | ||
| + |  enabled  = true | ||
| + |  filter   = sshd | ||
| + |  action   = iptables[name=SSH, port=http, protocol=tcp] | ||
| + |  #sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] | ||
| + |  logpath  = /var/log/secure | ||
| + |  maxretry = 5 | ||
| + | |||
| == Dovecot == | == Dovecot == | ||
| *fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5. | *fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5. | ||
| Line 56: | Line 229: | ||
|   ignoreregex = |   ignoreregex = | ||
| + | ==Postfix== | ||
| + | *fail2ban does NOT have a default setting that will work for postfix. The following has been tested and works on CentOS 5. | ||
| + | *Edit the sasl-iptables rule in <em>/etc/fail2ban/jail.conf</em> to be the following. | ||
| + |  [sasl-iptables]<br /> | ||
| + |  enabled  = true | ||
| + |  filter   = sasl | ||
| + |  backend  = polling | ||
| + |  action   = iptables[name=sasl, port="smtp", protocol=tcp] | ||
| + |  logpath  = /var/log/maillog | ||
| + |  bantime  = 1200 | ||
| + |  maxretry = 6 | ||
| + | *Next edit <em>/etc/fail2ban/filter.d/sasl.conf</em> to have the follow regex | ||
| + |  failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|login|PLAIN|plain|(?:CRAM|DIGEST)-MD5) authentication failed.*$ | ||
| + | |||
| + | == Multi Ban == | ||
| + | Most of our ban rules do not ban IP's permanently. However if an IP is going to continuously attempt to break into the system, it makes sense to ban it forever. This is done by monitoring fail2ban's own logs for multiple bans over a certain time period. Make sure that this is a SEPARATE jail. If you simply do a permanent ban under the same jail, when the ban that triggered the permanent ban (i.e. SSH) expires it will unban the IP and negate the permanent ban.   | ||
| + | |||
| + | In this file make sure to have the ignore regex set to the jail name for this rule. | ||
| + | <em>/etc/fail2ban/filter.d/fail2ban.conf</em> | ||
| + |  [Definition]<br/> | ||
| + |  failregex = fail2ban.actions: WARNING \[(.*)\] Ban <HOST><br/> | ||
| + |  ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban <HOST> | ||
| + | |||
| + | The rule to add to <em>/etc/fail2ban/jail.conf</em> | ||
| + |  # | ||
| + |  # Track fail2ban's own logging and ban an IP permanently after 3 bans. | ||
| + |  # | ||
| + |  [fail2ban] | ||
| + |  enabled = true | ||
| + |  filter = fail2ban | ||
| + |  action = iptables-allports[name=fail2ban] | ||
| + |  logpath = /var/log/messages | ||
| + |  maxretry = 3 | ||
| + |  # findtime: 5 days | ||
| + |  findtime = 432000 | ||
| + |  # bantime: FOREVER | ||
| + |  bantime = -1 | ||
| + | |||
| == Testing Filters == | == Testing Filters == | ||
| − | *Often times different versions software will write to the logs differently or you may want to  | + | *Often times different versions of software will write to the logs differently or you may want to monitor a different piece of software with fail2ban. In these cases you will probably need to write or edit your own regex's. Below is an example of a command you can run to test them. | 
| <code>/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf</code> | <code>/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf</code> | ||
| + | |||
| + | = LEGACY =  | ||
| == Starting and Reloading == | == Starting and Reloading == | ||
| *Starting the fail2ban service. | *Starting the fail2ban service. | ||
| Line 69: | Line 282: | ||
| **<code>/usr/bin/fail2ban-client reload</code> | **<code>/usr/bin/fail2ban-client reload</code> | ||
| − | = Unbanning = | + | == Unbanning <0.88  == | 
| − | + | #Clear all [[denyhosts]] bans | |
| − | #Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name. | + | #Run iptables -L and find the ip address you want to unban.: | 
| − | #Run the following commands as root. | + | #* <code>iptables -n -L | grep ###.###.##</code> | 
| + | #*Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.   | ||
| + | #**The default SSH jailname is ssh-iptables | ||
| + | #Run the following commands as root. FOR Red-hat 5: | ||
| #*<code>fail2ban-client get <jailname> actionunban <ip address></code> | #*<code>fail2ban-client get <jailname> actionunban <ip address></code> | ||
| + | #*<code>fail2ban-client reload</code> | ||
| + | # For Red Hat/Centos 6: | ||
| + | #*<code>fail2ban-client set ssh-iptables unbanip <ip address>  </code> | ||
| #*<code>fail2ban-client reload</code> | #*<code>fail2ban-client reload</code> | ||
Latest revision as of 17:43, 4 January 2018
This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.
Note: In addition to fail2ban, we also use denyhosts.
ACTIONS
Here some things you may want to do.
Unbanning
This will remove a ban. The ban is removed automatically after 10 days. You can find the ips banned with iptables -L -n as well, but for 0.9 and later, this is easier.
- Check where the ban is.
fail2ban-client status # List jails fail2ban-client status sshd # For sshd list the status, including banned ips.
- Remove the banned IP from jail
fail2ban-client set sshd unbanip <ip-addr>
Reloading
This will reload the config files. Note it will also rescan the logs for the last 10 minutes, you may end up re-banning.
- systemctl restart fail2ban
- fail2ban-client reload
Installing
- The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
- yum install epel-release
- Alternate: download the EPEL repository from UNH epel mirror install RPM:
 RHEL 5
 RHEL 6
 RHEL7Server
 RHEL7
 *Install the rpm:rpm -ivh epel-release-<version>.noarch.rpm
 
- Install fail2ban via yum: yum install fail2ban-all
- systemctl enable fail2ban
- systemctl start fail2ban
Configuring - > 0.9.0 release
- Tutorial useful reading.
To check the configuration:
fail2ban-client status fail2ban-client status ssh
To check the fail2ban logs:
journalctl -b -u fail2ban
Defaults
Got to /etc/fail2ban. You do not edit the jail.conf file. Instead, create a file "jail.local" and put override edits there.
- Enter in jail.local:
[DEFAULT] # We ban for 10*24 hours. You get 5 tries. Per hour. bantime = 864000 maxretry= 5 findtime= 3600 # Override /etc/fail2ban/jail.d/00-firewalld.conf: # This makes sure fail2ban uses iptables. banaction = iptables-unh # Ignore the farm too. ignoreip = 10.0.0.1/24 # Warn me. destemail = maurik@physics.unh.edu sendername = Fail2Ban@gourd.unh.edu mta = sendmail action = %(action_mwl)s # Do reverse dns lookup usedns = yes [sshd] enabled = true chain = INPUT [fail2ban] enabled = true filter = fail2ban chain = INPUT action = iptables-allports-unh[name=fail2ban] logpath = /var/log/fail2ban.log maxretry = 3 # findtime: 5 days findtime = 432000 # bantime: FOREVER bantime = -1
- Create a filter.d/fail2ban.conf:
# Fail2Ban filter for fail2ban # # If a system is banned too often, ban it permanently. # # Author: Maurik Holtrop [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] deamon = fail2ban failregex = ^.*: NOTICE *\[.*\] Ban <HOST>$ ignoreregex = ^.*: NOTICE *\[fail2ban\] Ban <HOST>$
You may also want to copy action.d/iptables-unh.conf, action.d/iptables-allports-unh.conf, and action.d/iptables-multiport-unh.conf from Gourd, which inserts at location 5 instead of at the end, where it has no effect!
SSH
- Edit /etc/ssh/sshd_config
- Change: LogLevel VERBOSE
- Set: UseDNS no
 
On systems with email services, add this to jail.local:
[postfix] enabled = true
[dovecot] enabled = true
NAMED
[named-refused] backend = systemd enabled = true
FAIL2BAN - permanent blacklist
We can look for systems that were banned multiple times, and permanently blacklist them. The trick is to scan the fail2ban.log file for "ban" and then after a certain number of them in a certain time period, add to a fail2ban list.
Make sure you do a "touch /var/log/fail2ban.log" before starting with this rule for the first time.
To implement, create the file: /etc/fail2ban/filter.d/fail2ban.conf
# Fail2Ban filter for fail2ban # # If a system is banned too often, ban it permanently. # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] deamon = fail2ban failregex = ^.*: NOTICE *\[.*\] Ban <HOST>$ ignoreregex = ^.*: NOTICE *\[fail2ban\] Ban <HOST>$ # Author: Maurik Holtrop
and add to the jail.local:
[fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /var/log/fail2ban.log maxretry = 3 # findtime: 5 days findtime = 432000 # bantime: FOREVER bantime = -1
Configuring Older Versions - 0.8
SSH
- Edit the /etc/fail2ban/jail.conf and change the following settings.
- Change bantime to 24 hours (in seconds)bantime = 86400
- Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
 
- Change bantime to 24 hours (in seconds)
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6
If you want to have fail2ban check port 80 for sshd service just add these lines below the lines listed above (the ones for checking the standard ssh port)
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=http, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5
Dovecot
- fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
- Two rules need to be added to /etc/fail2ban/jail.conf, one that monitors /var/log/secure for password failures
[dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/secure maxretry = 6 findtime = 1200 bantime = 1200
- And one that monitors /var/log/maillog for authenication failures.
[dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/maillog maxretry = 6 findtime = 1200 bantime = 1200
- You will also need to add custom filters, as the ones listed are not available by default. They are listed below.
/etc/fail2ban/filter.d/dovecot-maillog.conf
[Definition]
 
#failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
failregex =  (?: Authentication failure).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
 
ignoreregex = (?: Disconnected: Logged out).*
/etc/fail2ban/filter.d/dovecot-secure.conf
[Definition]
failregex =  (?: dovecot-auth.*authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
ignoreregex =
Postfix
- fail2ban does NOT have a default setting that will work for postfix. The following has been tested and works on CentOS 5.
- Edit the sasl-iptables rule in /etc/fail2ban/jail.conf to be the following.
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port="smtp", protocol=tcp] logpath = /var/log/maillog bantime = 1200 maxretry = 6
- Next edit /etc/fail2ban/filter.d/sasl.conf to have the follow regex
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|login|PLAIN|plain|(?:CRAM|DIGEST)-MD5) authentication failed.*$
Multi Ban
Most of our ban rules do not ban IP's permanently. However if an IP is going to continuously attempt to break into the system, it makes sense to ban it forever. This is done by monitoring fail2ban's own logs for multiple bans over a certain time period. Make sure that this is a SEPARATE jail. If you simply do a permanent ban under the same jail, when the ban that triggered the permanent ban (i.e. SSH) expires it will unban the IP and negate the permanent ban.
In this file make sure to have the ignore regex set to the jail name for this rule. /etc/fail2ban/filter.d/fail2ban.conf
[Definition]
failregex = fail2ban.actions: WARNING \[(.*)\] Ban <HOST>
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban <HOST>
The rule to add to /etc/fail2ban/jail.conf
# # Track fail2ban's own logging and ban an IP permanently after 3 bans. # [fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /var/log/messages maxretry = 3 # findtime: 5 days findtime = 432000 # bantime: FOREVER bantime = -1
Testing Filters
- Often times different versions of software will write to the logs differently or you may want to monitor a different piece of software with fail2ban. In these cases you will probably need to write or edit your own regex's. Below is an example of a command you can run to test them.
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
LEGACY
Starting and Reloading
- Starting the fail2ban service.
- /usr/bin/fail2ban-client start
- Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
 
- Setting fail2ban to start at boot time.
- chkconfig fail2ban on
 
- Reloading fail2ban.
- Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
- /usr/bin/fail2ban-client reload
 
Unbanning <0.88
- Clear all denyhosts bans
- Run iptables -L and find the ip address you want to unban.:
- iptables -n -L | grep ###.###.##
- Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
- The default SSH jailname is ssh-iptables
 
 
- Run the following commands as root. FOR Red-hat 5:
- fail2ban-client get <jailname> actionunban <ip address>
- fail2ban-client reload
 
- For Red Hat/Centos 6:
- fail2ban-client set ssh-iptables unbanip <ip address>
- fail2ban-client reload
 
