lost and found ( for me ? )

install fail2ban on Ubuntu 12.04 LTS

http://www.fail2ban.org/wiki/index.php/Main_Page
In short , fail2ban detects multiple authentication failures and bans access from these hosts.

# uname –ri
3.2.0-38-generic x86_64

# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"


install fail2ban via apt-get
# apt-get install fail2ban –y

# apt-cache policy fail2ban
fail2ban:
 Installed: 0.8.6-3
 Candidate: 0.8.6-3
 Version table:
*** 0.8.6-3 0
       500 http://jp.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages
       100 /var/lib/dpkg/status


[ configuration ]
# ls /etc/fail2ban/
action.d  fail2ban.conf  filter.d  jail.conf


I’ll use default configuration. ( no customization )
# egrep -v ^# /etc/fail2ban/jail.conf | head -10


[DEFAULT]

ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3

backend = auto

root@ubuntu1204-vm1:~# egrep -v ^# /etc/fail2ban/jail.conf | head -50

[DEFAULT]

ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3

backend = auto

destemail = root@localhost


banaction = iptables-multiport

mta = sendmail

protocol = tcp

chain = INPUT


action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action = %(action_)s

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6


start fail2ban
# /etc/init.d/fail2ban restart
* Restarting authentication failure monitor fail2ban                    [ OK ]

# /etc/init.d/fail2ban status
* Status of authentication failure monitor                                      *  fail2ban is running


I intentionally failed SSH access six times to test.

before
# iptables -L –n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination


after fail2ban detects SSH auth failure six times.
fail2ban added the iptables rule to ban the host.
# iptables –L –n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  192.168.10.120       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

# less /var/log/fail2ban.log
2013-02-20 20:06:17,835 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-02-20 20:06:17,836 fail2ban.jail   : INFO   Creating new jail 'ssh'
2013-02-20 20:06:17,837 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2013-02-20 20:06:17,853 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-02-20 20:06:17,853 fail2ban.filter : INFO   Set maxRetry = 6
2013-02-20 20:06:17,854 fail2ban.filter : INFO   Set findtime = 600
2013-02-20 20:06:17,854 fail2ban.actions: INFO   Set banTime = 600
2013-02-20 20:06:17,879 fail2ban.jail   : INFO   Jail 'ssh' started
2013-02-20 20:10:02,144 fail2ban.actions: WARNING [ssh] Ban 192.168.10.12


after 600 seconds ( bantime  = 600 ) passed , fail2ban erased the iptables rule.
# iptables -L –n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


You can use fail2ban in combination with apache-auth , pop3 , vsftpd etc.

Here’s an example of how to block vsftpd’s auth failures by fail2ban.

install vsftpd
# apt-get install vsftpd


vsftpd.conf
# egrep -v ^# /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ascii_upload_enable=YES
ascii_download_enable=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem


edit jail2.conf
[vsftpd]

#enabled  = false
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


reload to reflect the configuration.
# fail2ban-client reload


before
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-vsftpd  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 21,20,990,989
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


after blocked by fail2ban
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-vsftpd  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 21,20,990,989
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination
DROP       all  --  192.168.10.120       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


# less /var/log/fail2ban.log
fail2ban.actions: WARNING [vsftpd] Ban 192.168.10.120

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.