Fail2ban: diferència entre les revisions
Cap resum de modificació |
|||
| (Hi ha 7 revisions intermèdies del mateix usuari que no es mostren) | |||
| Línia 1: | Línia 1: | ||
==Commands== | ==Commands== | ||
To see the list of jails active: | To see the list of jails active: | ||
fail2ban-client status | sudo fail2ban-client status | ||
To see the status of a jail and if it banned any IP: | To see the status of a jail and if it banned any IP: | ||
fail2ban-client status sshd | sudo fail2ban-client status sshd | ||
See the last failed logins: | |||
sudo lastb -a | |||
==Install common== | ==Install common== | ||
| Línia 14: | Línia 16: | ||
vi /etc/fail2ban/jail.local | vi /etc/fail2ban/jail.local | ||
Add: "enable=true" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. | Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change: | ||
logpath = /var/log/secure | |||
instead of | |||
logpath = /var/log/auth.log | |||
Also add the ,23 besides the ssh port for the ssh. See section below. | Also add the ,23 besides the ssh port for the ssh. See section below. | ||
If you have reverse tunnels to other server also add: | |||
ignoreip = | |||
So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1) | |||
Increase ban time: | |||
bantime = 86400 | |||
findtime = 86400 | |||
maxretry = 4 | |||
| Línia 22: | Línia 38: | ||
systemctl start fail2ban | systemctl start fail2ban | ||
if it does not restart see the reason: | if it does not restart see the reason: | ||
fail2ban-client -v -v start | fail2ban-client -v -v start | ||
==Install Fail2ban on Ubuntu== | ==Install Fail2ban on Ubuntu== | ||
| Línia 40: | Línia 56: | ||
Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html | Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html | ||
===Almalinux=== | |||
yum install epel-release | |||
yum install fail2ban | |||
systemctl enable fail2ban | |||
systemctl restart fail2ban | |||
==Enable mail== | ==Enable mail== | ||
| Línia 61: | Línia 85: | ||
port = ssh,23 | port = ssh,23 | ||
https://github.com/fail2ban/fail2ban/issues/1284 | |||
===Alternative=== | |||
edit the file | |||
/etc/services | |||
so that ssh is in the right port | |||
==Default config== | |||
The default 10 min ban is not enough. | |||
Edit /etc/fail2ban/jail.conf | |||
bantime = 86400 | |||
findtime = 86400 | |||
86400 is one day | |||
Revisió de 12:46, 6 març 2022
Commands
To see the list of jails active:
sudo fail2ban-client status
To see the status of a jail and if it banned any IP:
sudo fail2ban-client status sshd
See the last failed logins:
sudo lastb -a
Install common
After installing fail2ban configure:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change:
logpath = /var/log/secure
instead of
logpath = /var/log/auth.log
Also add the ,23 besides the ssh port for the ssh. See section below.
If you have reverse tunnels to other server also add:
ignoreip =
So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1)
Increase ban time:
bantime = 86400 findtime = 86400 maxretry = 4
Restart the service,
systemctl start fail2ban
if it does not restart see the reason:
fail2ban-client -v -v start
Install Fail2ban on Ubuntu
apt-get install fail2ban sudo service fail2ban restart sudo update-rc.d fail2ban enable
Install Fail2ban on CentOS/Fedora
Instead of installing with yum install fail2ban, use:
yum install fail2ban-server fail2ban-systemd systemctl enable fail2ban systemctl restart fail2ban
The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.
Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html
Almalinux
yum install epel-release yum install fail2ban systemctl enable fail2ban systemctl restart fail2ban
Enable mail
yum install fail2ban-sendmail
Fail2ban when ssh in telnet port
This are no failures in sense of authentication (because login does not take place).
But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex:
^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local
[sshd] port = ssh,23
https://github.com/fail2ban/fail2ban/issues/1284
Alternative
edit the file
/etc/services
so that ssh is in the right port
Default config
The default 10 min ban is not enough.
Edit /etc/fail2ban/jail.conf
bantime = 86400 findtime = 86400
86400 is one day