Fail2ban: diferència entre les revisions

Commands

To see the list of jails active:

fail2ban-client status

To see the status of a jail and if it banned any IP:

fail2ban-client status sshd

Install common

After installing fail2ban configure:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Add: "enable=true" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic'

Also add the ,23 besides the ssh port for the ssh. See section below.

Restart the service,

systemctl start fail2ban

if it does not restart see the reason:

fail2ban-client -v -v start^

Install Fail2ban on Ubuntu

apt-get install fail2ban
sudo service fail2ban restart
sudo update-rc.d fail2ban enable

Install Fail2ban on CentOS/Fedora

Instead of installing with yum install fail2ban, use:

yum install fail2ban-server fail2ban-systemd
systemctl enable fail2ban
systemctl restart fail2ban

The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.

Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html

Enable mail

 yum install fail2ban-sendmail

Fail2ban when ssh in telnet port

This are no failures in sense of authentication (because login does not take place).

But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex:

            ^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
            ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$

Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local

[sshd]
port    = ssh,23

https://github.com/fail2ban/fail2ban/issues/1284