Difference between revisions of "Fail2ban"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 9: Line 9:
  
 
= Configuring =
 
= Configuring =
 +
== SSH ==
 
*Edit the /etc/fail2ban/jail.conf and change the following settings.
 
*Edit the /etc/fail2ban/jail.conf and change the following settings.
 
** Change bantime to 24 hours (in seconds)<br/><code>bantime = 86400</code>
 
** Change bantime to 24 hours (in seconds)<br/><code>bantime = 86400</code>
Line 19: Line 20:
 
  logpath  = /var/log/secure
 
  logpath  = /var/log/secure
 
  maxretry = 6
 
  maxretry = 6
*Start the fail2ban service.
+
== Dovecot ==
 +
*fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
 +
*Two rules need to be added to <em>/etc/fail2ban/jail.conf</em>
 +
**One that monitors <em>/var/log/secure</em> for password failures
 +
[dovecot-secure]
 +
enabled = true
 +
filter = dovecot-secure
 +
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
 +
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
 +
logpath = /var/log/secure
 +
maxretry = 6
 +
findtime = 1200
 +
bantime = 1200
 +
**And one that monitors <em>/var/log/secure</em> for authenication failures.
 +
[dovecot-maillog]
 +
enabled = true
 +
filter = dovecot-maillog
 +
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
 +
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
 +
logpath = /var/log/maillog
 +
maxretry = 6
 +
findtime = 1200
 +
bantime = 1200
 +
 
 +
== Starting and Reloading ==
 +
*Starting the fail2ban service.
 
**<code>/usr/bin/fail2ban-client start</code>  
 
**<code>/usr/bin/fail2ban-client start</code>  
 
**Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
 
**Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
*Set fail2ban to start at boot time.
+
*Setting fail2ban to start at boot time.
 
**<code>chkconfig fail2ban on</code>
 
**<code>chkconfig fail2ban on</code>
 +
*Reloading fail2ban.
 +
**Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
 +
**<code>/usr/bin/fail2ban-client reload</code>
  
 
= Unbanning =
 
= Unbanning =

Revision as of 18:57, 20 January 2012

This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.

Installing

  1. The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
    • Download the EPEL repository install RPM:
      RHEL 5
      RHEL 6
    • Install the rpm:
      rpm -ivh epel-release-<version>.noarch.rpm
  2. Install fail2ban via yum:
    yum install fail2ban

Configuring

SSH

  • Edit the /etc/fail2ban/jail.conf and change the following settings.
    • Change bantime to 24 hours (in seconds)
      bantime = 86400
    • Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6

Dovecot

  • fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
  • Two rules need to be added to /etc/fail2ban/jail.conf
    • One that monitors /var/log/secure for password failures
[dovecot-secure]
enabled = true
filter = dovecot-secure
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/secure
maxretry = 6
findtime = 1200
bantime = 1200
    • And one that monitors /var/log/secure for authenication failures.
[dovecot-maillog]
enabled = true
filter = dovecot-maillog
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 6
findtime = 1200
bantime = 1200

Starting and Reloading

  • Starting the fail2ban service.
    • /usr/bin/fail2ban-client start
    • Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
  • Setting fail2ban to start at boot time.
    • chkconfig fail2ban on
  • Reloading fail2ban.
    • Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
    • /usr/bin/fail2ban-client reload

Unbanning

  1. Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
  2. Run the following commands as root.
    • fail2ban-client get <jailname> actionunban <ip address>
    • fail2ban-client reload