Difference between revisions of "Fail2ban"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search| Line 9: | Line 9: | ||
| = Configuring = | = Configuring = | ||
| + | == SSH == | ||
| *Edit the /etc/fail2ban/jail.conf and change the following settings. | *Edit the /etc/fail2ban/jail.conf and change the following settings. | ||
| ** Change bantime to 24 hours (in seconds)<br/><code>bantime = 86400</code> | ** Change bantime to 24 hours (in seconds)<br/><code>bantime = 86400</code> | ||
| Line 19: | Line 20: | ||
|   logpath  = /var/log/secure |   logpath  = /var/log/secure | ||
|   maxretry = 6 |   maxretry = 6 | ||
| − | * | + | == Dovecot == | 
| + | *fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5. | ||
| + | *Two rules need to be added to <em>/etc/fail2ban/jail.conf</em> | ||
| + | **One that monitors <em>/var/log/secure</em> for password failures | ||
| + |  [dovecot-secure] | ||
| + |  enabled = true | ||
| + |  filter = dovecot-secure | ||
| + |  action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] | ||
| + |  # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc | ||
| + |  logpath = /var/log/secure | ||
| + |  maxretry = 6 | ||
| + |  findtime = 1200 | ||
| + |  bantime = 1200 | ||
| + | **And one that monitors <em>/var/log/secure</em> for authenication failures.  | ||
| + |  [dovecot-maillog] | ||
| + |  enabled = true | ||
| + |  filter = dovecot-maillog | ||
| + |  action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] | ||
| + |  # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc | ||
| + |  logpath = /var/log/maillog | ||
| + |  maxretry = 6 | ||
| + |  findtime = 1200 | ||
| + |  bantime = 1200 | ||
| + | |||
| + | == Starting and Reloading == | ||
| + | *Starting the fail2ban service. | ||
| **<code>/usr/bin/fail2ban-client start</code>   | **<code>/usr/bin/fail2ban-client start</code>   | ||
| **Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail. | **Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail. | ||
| − | * | + | *Setting fail2ban to start at boot time. | 
| **<code>chkconfig fail2ban on</code> | **<code>chkconfig fail2ban on</code> | ||
| + | *Reloading fail2ban. | ||
| + | **Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned | ||
| + | **<code>/usr/bin/fail2ban-client reload</code> | ||
| = Unbanning = | = Unbanning = | ||
Revision as of 18:57, 20 January 2012
This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.
Installing
- The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
- Install fail2ban via yum: yum install fail2ban
Configuring
SSH
- Edit the /etc/fail2ban/jail.conf and change the following settings.
- Change bantime to 24 hours (in seconds)bantime = 86400
- Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
 
- Change bantime to 24 hours (in seconds)
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6
Dovecot
- fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
- Two rules need to be added to /etc/fail2ban/jail.conf
- One that monitors /var/log/secure for password failures
 
[dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/secure maxretry = 6 findtime = 1200 bantime = 1200
- And one that monitors /var/log/secure for authenication failures.
 
[dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/maillog maxretry = 6 findtime = 1200 bantime = 1200
Starting and Reloading
- Starting the fail2ban service.
- /usr/bin/fail2ban-client start
- Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
 
- Setting fail2ban to start at boot time.
- chkconfig fail2ban on
 
- Reloading fail2ban.
- Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
- /usr/bin/fail2ban-client reload
 
Unbanning
- Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
- Run the following commands as root.
- fail2ban-client get <jailname> actionunban <ip address>
- fail2ban-client reload
 
