Fail2Ban

From KevinWiki

(Difference between revisions)
Jump to: navigation, search
(New page: Category:Network == Fail2Ban == Fail2Ban is an intrusion prevention framework written in Python (programming language). It checks log files and uses firewall such as iptables and TCP W...)
Line 48: Line 48:
''*<code>port = ssh</code> is comment out yet <code>ssh</code> and <code>sftp</code> are set instead.''
''*<code>port = ssh</code> is comment out yet <code>ssh</code> and <code>sftp</code> are set instead.''
-
It will email you when it detects the failure of the login attempt which happened more than <code>maxretry</code>, 3 in this example, after banning the IP, from which the attempt of the access is.
+
*It will email you when it detects the failure of the login attempt which happened more than <code>maxretry</code>, 3 in this example, after banning the IP, from which the attempt of the access is.
 +
*If you changed the port number used for sshd, then change
 +
action  = iptables[name=SSH, port=ssh, protocol=tcp]
 +
to
 +
action  = iptables[name=SSH, port='''<port number>''', protocol=tcp]
 +
 
 +
e.g.)
 +
action  = iptables[name=SSH, port='''1234''', protocol=tcp]

Revision as of 09:55, 3 October 2008

Contents

Fail2Ban

Fail2Ban is an intrusion prevention framework written in Python (programming language). It checks log files and uses firewall such as iptables and TCP Wrapper to ban IP which makes too many login failure.

Prerequisite

Iptables

As mentioned, it uses iptables so iptables (or other applicable firewall applications) should be installed beforehand. Check if it is already installed. If it is not installed yet, install it first.

$ sudo apt-get install iptables

Sendmail

Fail2ban also uses sendmail mail transfer agent (MTA) to send an email in order to report the failure of login. This can be optional, yet it is better to have the report thus installing sendmail is recommended.

$ sudo apt-get install sendmail


Installation

$ sudo apt-get install fail2ban

Usage

Create Configuration File (jail.local)

It has a default configuration file which is jail.conf in the /etc/fail2ban directory. However, using /etc/fail2ban/jail.local file is encouraged. If there is no such a file, create one and copy the contents of the jail.conf file. Or just simply copy /etc/fail2ban/jail.conf file to /etc/fail2ban/jail.local.

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


Change jail.local File

Find [ssh] section and change like:

[ssh]

enabled = true
# port	= ssh
port	= ssh,sftp
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=youremail@mail.com]

*port = ssh is comment out yet ssh and sftp are set instead.

  • It will email you when it detects the failure of the login attempt which happened more than maxretry, 3 in this example, after banning the IP, from which the attempt of the access is.
  • If you changed the port number used for sshd, then change
action   = iptables[name=SSH, port=ssh, protocol=tcp]

to

action   = iptables[name=SSH, port=<port number>, protocol=tcp]
e.g.)
action   = iptables[name=SSH, port=1234, protocol=tcp]


How long the IP is banned can be found from the [DEFAULT] section

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3


Change it as you wish (it is seconds).


Restart Fail2Ban

$ sudo /etc/init.d/fail2ban restart


Bug

There is a known bug in fail2ban from Ubuntu (8.04) repository. The bug is that fail2ban is not started after rebooting. The bug was reported here.

This can be solved by adding the line below to /etc/init.d/fail2ban file.

	[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban


So it should be like this.

		DAEMON_ARGS="$DAEMON_ARGS -x"
	fi

	# Assure that /var/run/fail2ban exists. This line is added.
	[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban

	start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \


References

Fail2ban: an enemy of script-kiddies

Personal tools