Fail2ban

From Gentoo Linux Wiki
Jump to: navigation, search
Wikipedia-logo-en.png
Wikipedia has an article on:

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules or /etc/hosts.deny to reject IP address.

Contents

[edit] Requirements

Packages listed below may be need, depending on system requirements:

Note: The version of fail2ban used in this article is 0.8.4-r3. The steps listed below might not apply to other versions.

[edit] Installation

Emerge iptables

emerge iptables

emerge python and enable threads USE flag.

USE=threads emerge python

emerge fail2ban

emerge fail2ban
Note: optionally fail2ban can use sys-apps/tcp-wrappers instead of net-firewall/iptables

While using tcp-wrappers, banned IP addresses are managed in the /etc/hosts.deny file.

[edit] Configuration

By default all protocols in fail2ban are disabled. Main fail2ban configuration is held in /etc/fail2ban/jail.conf Edit the initial DEFAULT section of /etc/fail2ban/jail.conf to ignore failed authentication logins from localhost, and your LAN. In this example 192.168.1.0/24 network has been used. bantime and findtime variables are set in seconds.

File: jail.conf
[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.0/24
bantime  = 600
findtime = 600
maxretry = 5
backend  = auto

[edit] Enabling SSH jail

Gentoo uses app-admin/syslog-ng as default syslog daemon, which is also used it this article. If using other syslog servers please refer to man pages.

To enable the f.e. the ssh-jail edit in /etc/fail2ban/jail.conf the [ssh-iptables] section and set enabled = true

Code: jail.conf 
...
[ssh-iptables]
enabled  = true
...

[edit] Fixing SSH logging with syslog-ng

By default fail2ban looks in /var/log/sshd.log for authentication messages. Syslog-ng authentication messages are written to /var/log/messages. Modify /etc/fail2ban/jail.conf and alter the logpath variable to the correct path.

Finally [ssh-iptables] section should look like:

File: jail.conf
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5

[edit] Adding courierimap and courierpop3

To add imap and pop3 support add following lines to /etc/fail2ban/jail.conf file: Correct logpath variable has to be set to ensure fail2ban is working properly. Usually /var/log/maillog is the default path for mail.

File: jail.conf
[courierpop3-iptables]

enabled  = true
filter   = courierlogin
backend  = polling
action   = iptables[name=courierpop3, port=pop3, protocol=tcp]
           mail-whois[name=courierpop3, dest=root@localhost]
logpath  = /var/log/maillog
maxretry = 5

[courierimap-iptables]

enabled  = true
filter   = courierlogin
backend  = polling
action   = iptables[name=courierimap, port=imap, protocol=tcp]
           mail-whois[name=courierimap, dest=root@localhost]
logpath  = /var/log/maillog
maxretry = 5

Emerge mail-client/mailx to get the /bin/mail client working:

emerge mailx

[edit] Using TCP wrappers

Below a example section for /etc/fail2ban/jail.conf [ssh-tcpwrapper] configuration if fail2ban uses tcp-wrappers instead of iptables.

File: /etc/fail2ban/jail.conf
[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
              mail-whois[name=SSH, dest=root@localhost]
logpath     = /var/log/messages

Create file /etc/hosts.deny:

Warning: If the /etc/hosts.deny didn't exist before, fail2ban creates it with root ownership and mode 600. Do a chmod 644 to avoid problems. The pop3 and imap daemons from cyrus-imapd (running with uid "cyrus") drop ALL connections if /etc/hosts.deny exists but is not readable.
touch /etc/hosts.deny

Change permissions to make /etc/hosts.deny readable for daemons:

chmod 644 /etc/hosts.deny

[edit] Finishing Up

Start fail2ban:

/etc/init.d/fail2ban start

Add fail2ban to the default runlevel:

rc-update add fail2ban default

Verify fail2ban has been started:

ps -ef |grep fail2ban
root     10567     1  0 23:06 ?        00:00:00 /usr/bin/python2.6 /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

Check iptables in order to see if a SSH fail2ban rule has ben set:

iptables --list | grep fail2ban
fail2ban-SSH  tcp  --  anywhere      anywhere         tcp dpt:ssh
Chain fail2ban-SSH (1 references)

Examine fail2ban.log:

tail /var/log/fail2ban.log
2010-10-20 23:06:54,770 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2010-10-20 23:06:54,771 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2010-10-20 23:06:54,772 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2010-10-20 23:06:54,808 fail2ban.filter : INFO   Added logfile = /var/log/messages
2010-10-20 23:06:54,809 fail2ban.filter : INFO   Set maxRetry = 5
2010-10-20 23:06:54,810 fail2ban.filter : INFO   Set findtime = 600
2010-10-20 23:06:54,811 fail2ban.actions: INFO   Set banTime = 600

Now fail2ban should be ready to use, in example below you see a successful output of banned hosts:

tail -f /var/log/fail2ban.log
2010-10-20 23:06:54,770 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2010-10-20 23:06:54,771 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2010-10-20 23:06:54,772 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2010-10-20 23:06:54,808 fail2ban.filter : INFO   Added logfile = /var/log/messages
2010-10-20 23:06:54,809 fail2ban.filter : INFO   Set maxRetry = 5
2010-10-20 23:06:54,810 fail2ban.filter : INFO   Set findtime = 600
2010-10-20 23:06:54,811 fail2ban.actions: INFO   Set banTime = 600
2010-10-21 18:01:08,099 fail2ban.actions: WARNING [ssh-iptables] Ban 24.8.222.211
2010-10-21 18:01:21,138 fail2ban.actions: WARNING [ssh-iptables] Ban 71.17.240.82
2010-10-21 18:01:47,190 fail2ban.actions: WARNING [ssh-iptables] Ban 71.94.162.198
2010-10-21 18:02:45,277 fail2ban.actions: WARNING [ssh-iptables] Ban 112.116.154.174

Examine iptables again:

iptables --list |grep -B5 -A5 fail
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  --  174.154.116.112.broad.km.yn.dynamic.163data.com.cn  anywhere
DROP       all  --  71-94-162-198.dhcp.knwc.wa.charter.com  anywhere
DROP       all  --  71-17-240-82.yktn.hsdb.sasknet.sk.ca  anywhere
DROP       all  --  c-24-8-222-211.hsd1.co.comcast.net  anywhere

Notice the DROP rule in the fail2ban-SSH chain has the blocked several hosts.

[edit] Troubleshooting

[edit] Fail2Ban doesn't start correctly after system crash or power loss

If fail2ban does not start correctly after a system crash or power loss, check to see whether the socket file still exists:

ls /var/run/fail2ban/fail2ban.sock
/var/run/fail2ban/fail2ban.sock

If it does, remove it manually:

rm /var/run/fail2ban/fail2ban.sock

Finally start fail2ban again

/etc/init.d/fail2ban start

Add the following option to /etc/conf.d/fail2ban to prevent it from happening again.

File: /etc/conf.d/fail2ban
FAIL2BAN_OPTIONS="-x"

The -x option will force fail2ban to overwrite the current stale socket.

If fail2ban does not work with ssh, examine whether IP-Addresses or DNS-Names are logged. If DNS names are logged in /var/log/messages set following

File: /etc/ssh/sshd_config
...
UseDNS = no 
...

Restart the sshd daemon

/etc/init.d/sshd restart
Retrieved from "http://en.gentoo-wiki.com/wiki/Fail2ban"
Personal tools