Fail2ban
From Nuclear Physics Group Documentation Pages
This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.
Installing
- The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
- Install fail2ban via yum:
yum install fail2ban
Configuring
SSH
- Edit the /etc/fail2ban/jail.conf and change the following settings.
- Change bantime to 24 hours (in seconds)
bantime = 86400
- Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
- Change bantime to 24 hours (in seconds)
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6
Dovecot
- fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
- Two rules need to be added to /etc/fail2ban/jail.conf, one that monitors /var/log/secure for password failures
[dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/secure maxretry = 6 findtime = 1200 bantime = 1200
- And one that monitors /var/log/maillog for authenication failures.
[dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/maillog maxretry = 6 findtime = 1200 bantime = 1200
- You will also need to add custom filters, as the ones listed are not available by default. They are listed below.
/etc/fail2ban/filter.d/dovecot-maillog.conf
[Definition] #failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* failregex = (?: Authentication failure).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).*
/etc/fail2ban/filter.d/dovecot-secure.conf
[Definition] failregex = (?: dovecot-auth.*authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) ignoreregex =
Testing Filters
- Often times different versions of software will write to the logs differently or you may want to monitor a different piece of software with fail2ban. In these cases you will probably need to write or edit your own regex's. Below is an example of a command you can run to test them.
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
Starting and Reloading
- Starting the fail2ban service.
/usr/bin/fail2ban-client start
- Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
- Setting fail2ban to start at boot time.
chkconfig fail2ban on
- Reloading fail2ban.
- Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
/usr/bin/fail2ban-client reload
Unbanning
- Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
- Run the following commands as root.
fail2ban-client get <jailname> actionunban <ip address>
fail2ban-client reload