Fail2ban

31 August 2015

Install and configure Fail2ban

http://www.fail2ban.org/

http://www.looke.ch/wp/list-based-permanent-bans-with-fail2ban

http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban/

As root,

yum install fail2ban

Commands

fail2ban-client -d ==> dump configuration for debugging
fail2ban-client start
fail2ban-client status
fail2ban-client reload

default logging path

/var/log/fail2ban.log

How to unban ip

To know which ip

iptables -L -n

To know jail name

fail2ban-client status

To unban ip

fail2ban-client set JAIL-NAME unbanip BANED-IP

Alternative

Example for jail SSHD in interactive mode.

type in bash:

fail2ban-client -i

then in interactive mode type:

status sshd

you’ll get:

Status for the jail: ssh |- Filter | |- Currently failed: 0 | |- Total failed: 6 | - File list: /var/log/auth.log - Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 203.113.167.162

then type in fail2ban interactive mode:

set ssh unbanip 203.113.167.162

you’ll get:

203.113.167.162

it means no longer 203.113.167.162 in ban list.

Configuration

vi /etc/fail2ban/jail.d/00-systemd.conf

[DEFAULT]
backend=systemd

cd /etc/fail2ban
cp jail.conf jail.local
vi jail.local

[sshd]
enabled = true
banaction = iptables-multiport


[DEFAULT]
bantime  = 72000
backend = systemd


vi /etc/fail2ban/fail2ban.conf

# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = DEBUG
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: ERROR
#
loglevel = INFO

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log

# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
#        auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ]  Default: auto
syslogsocket = auto

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400

Add from here

# Option: background.
# Notes.: start fail2ban as a daemon. Output is redirect to logfile..
# Values: [true | false] Default: false.
#.
background = true

# Option: maxretry.
# Notes.: number of retrys before IP gets banned..
# Values: NUM Default: 3.
#.
maxretry = 3

# Option: bantime.
# Notes.: number of seconds an IP will be banned..
# Values: NUM Default: 600.
#.
bantime = 36000

# Option: cmdstart.
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD Default:.
#.
cmdstart = echo "Se ha iniciado fail2ban" | mail -s "Fail2ban" 67webs@gmail.com..

# Option: cmdend.
# Notes.: command executed once at the end of Fail2Ban.
# Values: CMD Default:.
#.
cmdend = echo "Se ha detenido fail2ban" | mail -s "Fail2ban" 67webs@gmail.com<

[MAIL]

# Option: enabled.
# Notes.: enable mail notification when banning an IP address..
# Values: [true | false] Default: false.
#.
enabled = true

# Option: host.
# Notes.: host running the mail server..
# Values: STR Default: localhost.
#.
host = smtp.gmail.com

# Option: port.
# Notes.: port of the mail server..
# Values: INT Default: 25.
#.
port = 587

# Option: from.
# Notes.: e-mail address of the sender..
# Values: MAIL Default: fail2ban.
#.
from = fail2ban

# Option: to.
# Notes.: e-mail addresses of the receiver. Addresses are space.
# separated..
# Values: MAIL Default: root.
#.
to = 67webs@gmail.com

# Option: subject.
# Notes.: subject of the e-mail..
# Tags: <ip> IP address.
# <failures> number of failures.
# <failtime> unix timestamp of the last failure.
# Values: TEXT Default: [Fail2Ban] Banned <ip>.
#.
subject = [Fail2Ban] Se ha baneado a <ip>..

# Option: message.
# Notes.: message of the e-mail..
# Tags: <ip> IP address.
# <failures> number of failures.
# <failtime> unix timestamp of the last failure
# <br> new line.
# Values: TEXT Default: .
#.
message = La ip <ip> ha sido baneada por Fail2Ban despues de <failures> intentos fallidos...

[SSH]

# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
#logfile = /var/log/ssh

# Option: fwbanrule
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -i eth0 -s <ip> -j DROP
#
fwban = iptables -I INPUT -s <ip> -j DROP

# Option: fwunbanrule
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -i eth0 -s <ip> -j DROP
#
fwunban = iptables -D INPUT -s <ip> -j DROP

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user

RPM resource config(fail2ban-systemd)

http://rpmfind.net/linux/rpm2html/search.php?query=config%28fail2ban-systemd%29&submit=Search+...&system=&arch=

yum install ftp://rpmfind.net/linux/fedora/linux/updates/21/x86_64/f/fail2ban-systemd-0.9.2-1.fc21.noarch.rpm
==> ... Installing : fail2ban-systemd-0.9.2-1.fc21.noarch
==> warning: /etc/fail2ban/jail.d/00-systemd.conf created as /etc/fail2ban/jail.d/00-systemd.conf.rpmnew

This file contains

[DEFAULT]
backend=systemd