Sonora Communications, Inc.

  • Increase font size
  • Default font size
  • Decrease font size

Installing fail2ban on Centos 5

Thursday, 28 August 2008 11:08 Gene Cooper
E-mail Print PDF

These are just installation notes and this should not be considered a complete howto.

The fail2ban script runs as a daemon and bans an IP address after too many failed login attempts. We use it for blocking failed login attempts for SSH, ProFTP and Postfix.

Fail2ban is very effective at stopping the brute-force attacks now common to all Internet-connected hosts. We have found it reliable and functional without causing problems.

Installation on Centos 5

wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2
tar -xjvf fail2ban-0.8.1.tar.bz2
cd fail2ban-0.8.1
python setup.py install

vi /etc/fail2ban/jail.conf

Enable only the sections you need and do them one at a time.  We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.

Set your local networks and any other networks you consider 'safe'.  You certainly don't want to block your own clients!

ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

Installation on SME 7

NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)
(SME 7 uses /var/log/messages)

Startup

cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
service fail2ban start

Tools

Show failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

Search for correct log file:

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

Configuration

Adjust the following sample configuration files to your needs.

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest= This e-mail address is being protected from spambots. You need JavaScript enabled to view it , sender= This e-mail address is being protected from spambots. You need JavaScript enabled to view it ]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest= This e-mail address is being protected from spambots. You need JavaScript enabled to view it , sender= This e-mail address is being protected from spambots. You need JavaScript enabled to view it ]
logpath  = /var/log/secure
maxretry = 3

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest= This e-mail address is being protected from spambots. You need JavaScript enabled to view it , sender= This e-mail address is being protected from spambots. You need JavaScript enabled to view it ]
logpath  = /var/log/maillog
maxretry = 5



# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550
            reject: RCPT from (.*)\[<HOST>\]: 450

ignoreregex =



# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] <name>: started
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actioncheck =

actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/dig -x <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

actionunban =

[Init]
name = default
dest = root
sender = fail2ban

< Prev   Next >
Last Updated on Thursday, 28 August 2008 12:02  

Main Menu

Your external IP

You are connecting to this site from: 38.107.191.96

Internet Search

Secure Client Login

Email Address:

Password: