Difference between revisions of "Fail2ban"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to searchLine 22: | Line 22: | ||
== Dovecot == | == Dovecot == | ||
*fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5. | *fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5. | ||
− | *Two rules need to be added to <em>/etc/fail2ban/jail.conf</em> | + | *Two rules need to be added to <em>/etc/fail2ban/jail.conf</em>, one that monitors <em>/var/log/secure</em> for password failures |
− | |||
[dovecot-secure] | [dovecot-secure] | ||
enabled = true | enabled = true | ||
Line 33: | Line 32: | ||
findtime = 1200 | findtime = 1200 | ||
bantime = 1200 | bantime = 1200 | ||
− | + | *And one that monitors <em>/var/log/secure</em> for authenication failures. | |
[dovecot-maillog] | [dovecot-maillog] | ||
enabled = true | enabled = true |
Revision as of 18:59, 20 January 2012
This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.
Installing
- The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
- Install fail2ban via yum:
yum install fail2ban
Configuring
SSH
- Edit the /etc/fail2ban/jail.conf and change the following settings.
- Change bantime to 24 hours (in seconds)
bantime = 86400
- Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
- Change bantime to 24 hours (in seconds)
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6
Dovecot
- fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
- Two rules need to be added to /etc/fail2ban/jail.conf, one that monitors /var/log/secure for password failures
[dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/secure maxretry = 6 findtime = 1200 bantime = 1200
- And one that monitors /var/log/secure for authenication failures.
[dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/maillog maxretry = 6 findtime = 1200 bantime = 1200
Starting and Reloading
- Starting the fail2ban service.
/usr/bin/fail2ban-client start
- Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
- Setting fail2ban to start at boot time.
chkconfig fail2ban on
- Reloading fail2ban.
- Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
/usr/bin/fail2ban-client reload
Unbanning
- Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
- Run the following commands as root.
fail2ban-client get <jailname> actionunban <ip address>
fail2ban-client reload