Difference between revisions of "Fail2ban"
| Line 75: | Line 75: | ||
* SSH | * SSH | ||
* SSH-DDOS | * SSH-DDOS | ||
| + | * SSh-Route | ||
* SSH-iptables-* | * SSH-iptables-* | ||
| Line 143: | Line 144: | ||
* For IpTables rules you have to adjust the logpath | * For IpTables rules you have to adjust the logpath | ||
| + | |||
| + | |||
| + | ==Apache2 Virtual Host== | ||
| + | |||
| + | To secure your virtual hosts, you can duplicate some rules using the same filter: | ||
| + | * New rule name in '''"[" myRuleName "]"''' | ||
| + | * You just need to adjust the '''logpath''' | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | |||
| + | [apache-default] | ||
| + | enabled = true | ||
| + | port = http,https | ||
| + | filter = apache-auth | ||
| + | logpath = /var/log/apache*/*error.log | ||
| + | maxretry = 6 | ||
| + | |||
| + | [apache-daxiongmao] | ||
| + | enabled = true | ||
| + | port = http,https | ||
| + | filter = apache-auth | ||
| + | logpath = /var/log/apache/daxiongmao*/*error.log | ||
| + | maxretry = 6 | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | =Custom filters and rules= | ||
| + | |||
| + | You can create your own custom filters and rules that use them. | ||
| + | |||
| + | |||
| + | ==Create filter== | ||
| + | |||
| + | Create new .conf file like that | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | vim /etc/fail2ban/filter.d/myFilter.conf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | # My filter | ||
| + | # Blocks IPs that … | ||
| + | [Definition] | ||
| + | |||
| + | failregex = regex expression | ||
| + | ignoreregex = | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | The key point is the '''filter regex'''. | ||
| + | |||
| + | |||
| + | |||
| + | ==Test your filter== | ||
| + | |||
| + | You have to test your new filter against a log file with "fail2ban-regex": | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | # fail2ban-regex <log file> <filter configuration> | ||
| + | fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/auth-login.conf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ==Create rule(s) for the new filter== | ||
| + | |||
| + | Now you have to update your rules to use that new filter: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | vim /etc/fail2ban/jail.conf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | [myFilter-apache] | ||
| + | enabled = true | ||
| + | port = http,https | ||
| + | filter = myFilter | ||
| + | logpath = /var/log/apache*/*access*.log | ||
| + | maxretry = 6 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | The '''filter''' attribute matches the file name without '.conf'. | ||
Revision as of 18:29, 7 June 2014
Contents
Installation
apt-get install fail2ban
Fail2ban Configuration
vim /etc/fail2ban/fail2ban.conf
You can:
- Adjust the log file - default is: /var/log/fail2ban.log
- Adjust the log level
Restart | check fail2ban
Fail2ban is registered as a service by default.
service fail2ban restart
You can check the log in the dedicated log file:
cat /var/log/fail2ban.conf
Ban rules
Edit the ban configuration rule:
vim /etc/fail2ban/jail.confDefault (generic) properties
[DEFAULT]
ignoreip = 127.0.0.1/8 172.16.50.0/24
...
# "bantime" is the number of seconds that a host is banned.
# default 600s ; 86400 = 24h
bantime = 86400
# Increase max attempt time 'cause lots of scanner are using the default time + 1s.
# default 600
findtime=3600
- In "ignoreip" add your LAN + VPN networks
- Adjust "bantime" and "findtime"
SSH configuration
Enable and adjust:
- SSH
- SSH-DDOS
- SSh-Route
- SSH-iptables-*
[ssh]
enabled = true
port = ssh,2200
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
...
[ssh-ddos]
enabled = true
port = ssh,2200
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 4
# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
[ssh-route]
enabled = true
filter = sshd
action = route
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]
enabled = true
port = ssh,2200
filter = sshd
banaction = iptables-ipset-proto4
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
[ssh-iptables-ipset6]
enabled = true
port = ssh,2200
filter = sshd
banaction = iptables-ipset-proto6
#logpath = /var/log/sshd.log
logpath = /var/log/auth.log
maxretry = 4
- Note -
- You can use multi-port filtering with port=X,Y
- For IpTables rules you have to adjust the logpath
Apache2 Virtual Host
To secure your virtual hosts, you can duplicate some rules using the same filter:
- New rule name in "[" myRuleName "]"
- You just need to adjust the logpath
[apache-default]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-daxiongmao]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache/daxiongmao*/*error.log
maxretry = 6
Custom filters and rules
You can create your own custom filters and rules that use them.
Create filter
Create new .conf file like that
vim /etc/fail2ban/filter.d/myFilter.conf
# My filter
# Blocks IPs that …
[Definition]
failregex = regex expression
ignoreregex =
The key point is the filter regex.
Test your filter
You have to test your new filter against a log file with "fail2ban-regex":
# fail2ban-regex <log file> <filter configuration>
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/auth-login.conf
Create rule(s) for the new filter
Now you have to update your rules to use that new filter:
vim /etc/fail2ban/jail.conf
[myFilter-apache]
enabled = true
port = http,https
filter = myFilter
logpath = /var/log/apache*/*access*.log
maxretry = 6
The filter attribute matches the file name without '.conf'.
