Difference between revisions of "Fail2ban"
| Line 88: | Line 88: | ||
[ssh-ddos] | [ssh-ddos] | ||
| + | |||
enabled = true | enabled = true | ||
port = ssh,2200 | port = ssh,2200 | ||
| Line 94: | Line 95: | ||
maxretry = 4 | maxretry = 4 | ||
| − | ... | + | |
| + | # Here we use blackhole routes for not requiring any additional kernel support | ||
| + | # to store large volumes of banned IPs | ||
| + | |||
| + | [ssh-route] | ||
| + | |||
| + | enabled = true | ||
| + | filter = sshd | ||
| + | action = route | ||
| + | #logpath = /var/log/sshd.log | ||
| + | logpath = /var/log/auth.log | ||
| + | maxretry = 4 | ||
| + | |||
| + | |||
| + | # Here we use a combination of Netfilter/Iptables and IPsets | ||
| + | # for storing large volumes of banned IPs | ||
| + | # | ||
| + | # IPset comes in two versions. See ipset -V for which one to use | ||
| + | # requires the ipset package and kernel support. | ||
[ssh-iptables-ipset4] | [ssh-iptables-ipset4] | ||
| + | |||
enabled = true | enabled = true | ||
port = ssh,2200 | port = ssh,2200 | ||
| Line 105: | Line 125: | ||
maxretry = 4 | maxretry = 4 | ||
| − | + | [ssh-iptables-ipset6] | |
| − | |||
enabled = true | enabled = true | ||
port = ssh,2200 | port = ssh,2200 | ||
Revision as of 18:17, 7 June 2014
Contents
Installation
apt-get install fail2ban
Fail2ban Configuration
vim /etc/fail2ban/fail2ban.conf
You can:
- Adjust the log file - default is: /var/log/fail2ban.log
- Adjust the log level
Restart | check fail2ban
Fail2ban is registered as a service by default.
service fail2ban restart
You can check the log in the dedicated log file:
cat /var/log/fail2ban.conf
Ban rules
Edit the ban configuration rule:
vim /etc/fail2ban/jail.confDefault (generic) properties
[DEFAULT]
ignoreip = 127.0.0.1/8 172.16.50.0/24
...
# "bantime" is the number of seconds that a host is banned.
# default 600s ; 86400 = 24h
bantime = 86400
# Increase max attempt time 'cause lots of scanner are using the default time + 1s.
# default 600
findtime=3600
- In "ignoreip" add your LAN + VPN networks
- Adjust "bantime" and "findtime"
SSH configuration
Enable and adjust:
- SSH
- SSH-DDOS
- SSH-iptables-*
[ssh]
enabled = true
port = ssh,2200
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
...
[ssh-ddos]
enabled = true
port = ssh,2200
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 4
# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
[ssh-route]
enabled = true
filter = sshd
action = route
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]
enabled = true
port = ssh,2200
filter = sshd
banaction = iptables-ipset-proto4
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
[ssh-iptables-ipset6]
enabled = true
port = ssh,2200
filter = sshd
banaction = iptables-ipset-proto6
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
- Note -
- You can use multi-port filtering with port=X,Y
- For IpTables rules you have to adjust the logpath
