Friday, 20 September 2013

Fail2Ban Security

Fail2Ban Security

Fail2ban is very useful application for you, if you are managing security of server, or you are running your own vps or physical server. Fail2ban scan log files created on system and has ability to ban ips which found malicious bassed on configuration rules. We can use it for monitoring various system services logs like Apache, SSH and blog the ips which are trying to breach the system’s security

Simply, the Fail2ban application scans the log files and fetches the failed as well as fraudulent login attempts and blocks that particular IPs.
Generally Fail2ban application is used to update the iptables rules to reject. That means, this application find out the fraud IP address from the server log files and reject them for a particular time period by using iptables. It’s very helpful to protect the server from Brute-Force-Attack.By using the service Fail2ban, we can protect different services on the server like SSH, FTP, Apache, Lighttpd etc. The installation and configuration of Fail2ban is simple.

Write your personal IP address into the ignoreip line. You can separate each address with a space. 

IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from
your Server.
Including your address will guarantee that you do not accidentally ban yourself from your own server.

The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules.
This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes—you may raise this to an hour (or higher) if you like.

Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.

Findtime refers to the amount of time that a host has to log in.
The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.

Fail2ban Installation Steps

#yum install gamin
#yum install fail2ban

#vi /etc/fail2ban/jail.conf

ignoreip =
bantime  = 86400
findtime  = 600
maxretry = 5
backend = auto
usedns = warn

enabled  = true
filter   = sasl
backend  = auto
action   = iptables[name=sasl, port=smtp, protocol=tcp]
logpath  = /var/log/maillog

enabled  = true
filter   = postfix
action   = iptables[name=postfix, port=smtp, protocol=tcp]
logpath  = /var/log/maillog
bantime  = 86400
maxretry = 3

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@,]
logpath  = /var/log/secure

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/proftpd/proftpd.log


enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
logpath  = /var/log/vsftpd.log
bantime  = 1800

#vi /etc/fail2ban/filter.d/sasl.conf

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

#vi  /etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)\[<HOST>\]: 554

#fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
#fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

#/etc/init.d/fail2ban restart
# chkconfig fail2ban on

#tail -f /var/log/fail2ban.log

Note :
1: Instead of  put your Local IP Pool.
2: Instead of put your Email ID.

No comments:

Post a Comment