Fail2ban

De WikiMar
Dreceres ràpides: navegació, cerca

Commands

To see the list of jails active: 

sudo fail2ban-client status

To see the status of a jail and if it banned any IP: 

sudo fail2ban-client status sshd


See the last failed logins: 

sudo lastb -a

Install common

After installing fail2ban configure: 

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change: 

logpath  = /var/log/secure

instead of 

logpath  = /var/log/auth.log

Also add the ,23 besides the ssh port for the ssh. See section below.

If you have reverse tunnels to other server also add: 

ignoreip =

So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1)


Increase ban time: 

bantime  = 86400
findtime  = 86400
maxretry = 4


Restart the service, 

systemctl start fail2ban

if it does not restart see the reason: 

fail2ban-client -v -v start

Install Fail2ban on Ubuntu

apt-get install fail2ban
sudo service fail2ban restart
sudo update-rc.d fail2ban enable


Install Fail2ban on CentOS/Fedora

Instead of installing with yum install fail2ban, use: 

yum install fail2ban-server fail2ban-systemd
systemctl enable fail2ban
systemctl restart fail2ban

The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.


Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html


Almalinux

yum install epel-release
yum install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban

Enable mail

 yum install fail2ban-sendmail

Fail2ban when ssh in telnet port

This are no failures in sense of authentication (because login does not take place).

But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex: 

            ^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
            ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$


Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local 

[sshd]
port    = ssh,23

https://github.com/fail2ban/fail2ban/issues/1284

Alternative

edit the file 

/etc/services

so that ssh is in the right port


Default config

The default 10 min ban is not enough.

Edit /etc/fail2ban/jail.conf 

bantime  = 86400
findtime  = 86400

86400 is one day

Obtingut de «https://wiki.espai.de/index.php?title=Fail2ban&oldid=1886»