Fail2ban

From Nuclear Physics Group Documentation Pages
Revision as of 12:25, 4 August 2017 by Maurik (talk | contribs)
Jump to navigationJump to search

This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.

Note: In addition to fail2ban, we also use denyhosts.

Installing

Fail2Ban Home page
  1. The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
    • Download the EPEL repository from UNH epel mirror install RPM:
      RHEL 5
      RHEL 6
      RHEL7Server
      RHEL7
    • Install the rpm:
      rpm -ivh epel-release-<version>.noarch.rpm
  2. Install fail2ban via yum:
    yum install fail2ban

Configuring

SSH

  • Edit the /etc/fail2ban/jail.conf and change the following settings.
    • Change bantime to 24 hours (in seconds)
      bantime = 86400
    • Change ssh-iptables jail (enabled by default) to 6 login attempts and not to send mail. An example config section is provided below.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6

If you want to have fail2ban check port 80 for sshd service just add these lines below the lines listed above (the ones for checking the standard ssh port)

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=http, protocol=tcp]
#sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

Dovecot

  • fail2ban does NOT have a default setting that will work for dovecot. The following has been tested and works on CentOS 5.
  • Two rules need to be added to /etc/fail2ban/jail.conf, one that monitors /var/log/secure for password failures
[dovecot-secure]
enabled = true
filter = dovecot-secure
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/secure
maxretry = 6
findtime = 1200
bantime = 1200
  • And one that monitors /var/log/maillog for authenication failures.
[dovecot-maillog]
enabled = true
filter = dovecot-maillog
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 6
findtime = 1200
bantime = 1200
  • You will also need to add custom filters, as the ones listed are not available by default. They are listed below.

/etc/fail2ban/filter.d/dovecot-maillog.conf

[Definition]
 
#failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
failregex =  (?: Authentication failure).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
 
ignoreregex = (?: Disconnected: Logged out).*

/etc/fail2ban/filter.d/dovecot-secure.conf

[Definition]

failregex =  (?: dovecot-auth.*authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

ignoreregex =

Postfix

  • fail2ban does NOT have a default setting that will work for postfix. The following has been tested and works on CentOS 5.
  • Edit the sasl-iptables rule in /etc/fail2ban/jail.conf to be the following.
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port="smtp", protocol=tcp] logpath = /var/log/maillog bantime = 1200 maxretry = 6
  • Next edit /etc/fail2ban/filter.d/sasl.conf to have the follow regex
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|login|PLAIN|plain|(?:CRAM|DIGEST)-MD5) authentication failed.*$

Multi Ban

Most of our ban rules do not ban IP's permanently. However if an IP is going to continuously attempt to break into the system, it makes sense to ban it forever. This is done by monitoring fail2ban's own logs for multiple bans over a certain time period. Make sure that this is a SEPARATE jail. If you simply do a permanent ban under the same jail, when the ban that triggered the permanent ban (i.e. SSH) expires it will unban the IP and negate the permanent ban.

In this file make sure to have the ignore regex set to the jail name for this rule. /etc/fail2ban/filter.d/fail2ban.conf

[Definition]
failregex = fail2ban.actions: WARNING \[(.*)\] Ban <HOST>
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban <HOST>

The rule to add to /etc/fail2ban/jail.conf

#
# Track fail2ban's own logging and ban an IP permanently after 3 bans.
#
[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
logpath = /var/log/messages
maxretry = 3
# findtime: 5 days
findtime = 432000
# bantime: FOREVER
bantime = -1

Testing Filters

  • Often times different versions of software will write to the logs differently or you may want to monitor a different piece of software with fail2ban. In these cases you will probably need to write or edit your own regex's. Below is an example of a command you can run to test them.

/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

Starting and Reloading

  • Starting the fail2ban service.
    • /usr/bin/fail2ban-client start
    • Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
  • Setting fail2ban to start at boot time.
    • chkconfig fail2ban on
  • Reloading fail2ban.
    • Fail2ban needs to be reloaded any time any config files are changed or an ip is ubanned
    • /usr/bin/fail2ban-client reload

Unbanning

  1. Clear all denyhosts bans
  2. Run iptables -L and find the ip address you want to unban.:
    • iptables -n -L | grep ###.###.##
    • Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
      • The default SSH jailname is ssh-iptables
  3. Run the following commands as root. FOR Red-hat 5:
    • fail2ban-client get <jailname> actionunban <ip address>
    • fail2ban-client reload
  4. For Red Hat/Centos 6:
    • fail2ban-client set ssh-iptables unbanip <ip address>
    • fail2ban-client reload