In short , fail2ban detects multiple authentication failures and bans access from these hosts.
| # uname –ri 3.2.0-38-generic x86_64 # tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS" |
install fail2ban via apt-get
| # apt-get install fail2ban –y # apt-cache policy fail2ban fail2ban: Installed: 0.8.6-3 Candidate: 0.8.6-3 Version table: *** 0.8.6-3 0 500 http://jp.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages 100 /var/lib/dpkg/status |
[ configuration ]
| # ls /etc/fail2ban/ action.d fail2ban.conf filter.d jail.conf |
I’ll use default configuration. ( no customization )
| # egrep -v ^# /etc/fail2ban/jail.conf | head -10 [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 backend = auto root@ubuntu1204-vm1:~# egrep -v ^# /etc/fail2ban/jail.conf | head -50 [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 backend = auto destemail = root@localhost banaction = iptables-multiport mta = sendmail protocol = tcp chain = INPUT action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action = %(action_)s [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 |
start fail2ban
| # /etc/init.d/fail2ban restart * Restarting authentication failure monitor fail2ban [ OK ] # /etc/init.d/fail2ban status * Status of authentication failure monitor * fail2ban is running |
I intentionally failed SSH access six times to test.
before
| # iptables -L –n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination |
after fail2ban detects SSH auth failure six times.
fail2ban added the iptables rule to ban the host.
| # iptables –L –n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 192.168.10.120 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
| # less /var/log/fail2ban.log 2013-02-20 20:06:17,835 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2013-02-20 20:06:17,836 fail2ban.jail : INFO Creating new jail 'ssh' 2013-02-20 20:06:17,837 fail2ban.jail : INFO Jail 'ssh' uses Gamin 2013-02-20 20:06:17,853 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-02-20 20:06:17,853 fail2ban.filter : INFO Set maxRetry = 6 2013-02-20 20:06:17,854 fail2ban.filter : INFO Set findtime = 600 2013-02-20 20:06:17,854 fail2ban.actions: INFO Set banTime = 600 2013-02-20 20:06:17,879 fail2ban.jail : INFO Jail 'ssh' started 2013-02-20 20:10:02,144 fail2ban.actions: WARNING [ssh] Ban 192.168.10.12 |
after 600 seconds ( bantime = 600 ) passed , fail2ban erased the iptables rule.
| # iptables -L –n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
You can use fail2ban in combination with apache-auth , pop3 , vsftpd etc.
Here’s an example of how to block vsftpd’s auth failures by fail2ban.
install vsftpd
| # apt-get install vsftpd |
vsftpd.conf
| # egrep -v ^# /etc/vsftpd.conf listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ascii_upload_enable=YES ascii_download_enable=YES chroot_list_enable=NO secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem |
edit jail2.conf
| [vsftpd] #enabled = false enabled = true port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 |
reload to reflect the configuration.
| # fail2ban-client reload |
before
| # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-vsftpd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,990,989 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-vsftpd (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
after blocked by fail2ban
| # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-vsftpd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,990,989 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-vsftpd (1 references) target prot opt source destination DROP all -- 192.168.10.120 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
# less /var/log/fail2ban.log
| fail2ban.actions: WARNING [vsftpd] Ban 192.168.10.120 |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.