Fail2Ban - Revision history

Kevin at 06:27, 3 April 2009

2009-04-03T06:27:38Z

← Older revision		Revision as of 06:27, 3 April 2009
Line 8:		Line 8:
	Check if it is already installed. If it is not installed yet, install it first.		Check if it is already installed. If it is not installed yet, install it first.
	<pre>		<pre>
-	$ sudo apt-get install iptables	+	$ sudo apt-get install iptables
	</pre>		</pre>

Line 14:		Line 14:
	Fail2ban also uses <code>sendmail</code> mail transfer agent (MTA) to send an email in order to report the failure of login. This can be optional, yet it is better to have the report thus installing <code>sendmail</code> is recommended.		Fail2ban also uses <code>sendmail</code> mail transfer agent (MTA) to send an email in order to report the failure of login. This can be optional, yet it is better to have the report thus installing <code>sendmail</code> is recommended.
	<pre>		<pre>
-	$ sudo apt-get install sendmail	+	$ sudo apt-get install sendmail
	</pre>		</pre>

Line 20:		Line 20:
	== Installation ==		== Installation ==
	<pre>		<pre>
-	$ sudo apt-get install fail2ban	+	$ sudo apt-get install fail2ban
	</pre>		</pre>

Line 27:		Line 27:
	It has a default configuration file which is <code>jail.conf</code> in the <code>/etc/fail2ban</code> directory. However, using <code>/etc/fail2ban/jail.local</code> file is encouraged. If there is no such a file, create one and copy the contents of the <code>jail.conf</code> file. Or just simply copy <code>/etc/fail2ban/jail.conf</code> file to <code>/etc/fail2ban/jail.local</code>.		It has a default configuration file which is <code>jail.conf</code> in the <code>/etc/fail2ban</code> directory. However, using <code>/etc/fail2ban/jail.local</code> file is encouraged. If there is no such a file, create one and copy the contents of the <code>jail.conf</code> file. Or just simply copy <code>/etc/fail2ban/jail.conf</code> file to <code>/etc/fail2ban/jail.local</code>.
	<pre>		<pre>
-	$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local	+	$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	</pre>		</pre>

Line 74:		Line 74:
	=== Restart Fail2Ban ===		=== Restart Fail2Ban ===
	<pre>		<pre>
-	$ sudo /etc/init.d/fail2ban restart	+	$ sudo /etc/init.d/fail2ban restart
	</pre>		</pre>

Kevin at 09:55, 3 October 2008

2008-10-03T09:55:18Z

← Older revision		Revision as of 09:55, 3 October 2008
Line 48:		Line 48:
	''*<code>port = ssh</code> is comment out yet <code>ssh</code> and <code>sftp</code> are set instead.''		''*<code>port = ssh</code> is comment out yet <code>ssh</code> and <code>sftp</code> are set instead.''

-	It will email you when it detects the failure of the login attempt which happened more than <code>maxretry</code>, 3 in this example, after banning the IP, from which the attempt of the access is.	+	*It will email you when it detects the failure of the login attempt which happened more than <code>maxretry</code>, 3 in this example, after banning the IP, from which the attempt of the access is.
		+	*If you changed the port number used for sshd, then change
		+	action = iptables[name=SSH, port=ssh, protocol=tcp]
		+	to
		+	action = iptables[name=SSH, port='''<port number>''', protocol=tcp]
		+
		+	e.g.)
		+	action = iptables[name=SSH, port='''1234''', protocol=tcp]

Kevin: New page: Category:Network == Fail2Ban == Fail2Ban is an intrusion prevention framework written in Python (programming language). It checks log files and uses firewall such as iptables and TCP W...

2008-09-29T05:48:37Z

New page: Category:Network == Fail2Ban == Fail2Ban is an intrusion prevention framework written in Python (programming language). It checks log files and uses firewall such as iptables and TCP W...

New page

[[Category:Network]]
== Fail2Ban ==
Fail2Ban is an intrusion prevention framework written in Python (programming language). It checks log files and uses firewall such as iptables and TCP Wrapper to ban IP which makes too many login failure.

== Prerequisite ==
=== Iptables ===
As mentioned, it uses <code>iptables</code> so <code>iptables</code> (or other applicable firewall applications) should be installed beforehand.
Check if it is already installed. If it is not installed yet, install it first.
<pre>
$ sudo apt-get install iptables
</pre>

=== Sendmail ===
Fail2ban also uses <code>sendmail</code> mail transfer agent (MTA) to send an email in order to report the failure of login. This can be optional, yet it is better to have the report thus installing <code>sendmail</code> is recommended.
<pre>
$ sudo apt-get install sendmail
</pre>

== Installation ==
<pre>
$ sudo apt-get install fail2ban
</pre>

== Usage ==
=== Create Configuration File (<code>jail.local</code>) ===
It has a default configuration file which is <code>jail.conf</code> in the <code>/etc/fail2ban</code> directory. However, using <code>/etc/fail2ban/jail.local</code> file is encouraged. If there is no such a file, create one and copy the contents of the <code>jail.conf</code> file. Or just simply copy <code>/etc/fail2ban/jail.conf</code> file to <code>/etc/fail2ban/jail.local</code>.
<pre>
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
</pre>

=== Change <code>jail.local</code> File ===
Find <code>[ssh]</code> section and change like:

<pre>
[ssh]

enabled = true
# port = ssh
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=youremail@mail.com]
</pre>
''*<code>port = ssh</code> is comment out yet <code>ssh</code> and <code>sftp</code> are set instead.''

It will email you when it detects the failure of the login attempt which happened more than <code>maxretry</code>, 3 in this example, after banning the IP, from which the attempt of the access is.

How long the IP is banned can be found from the <code>[DEFAULT]</code> section

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
'''bantime = 600'''
maxretry = 3

Change it as you wish (it is seconds).

=== Restart Fail2Ban ===
<pre>
$ sudo /etc/init.d/fail2ban restart
</pre>

== Bug ==
There is a known bug in fail2ban from Ubuntu (8.04) repository. The bug is that fail2ban is not started after rebooting.
The bug was reported [http://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/222804/ here].

This can be solved by adding the line below to <code>/etc/init.d/fail2ban</code> file.
<pre>
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
</pre>

So it should be like this.
DAEMON_ARGS="$DAEMON_ARGS -x"
fi

# Assure that /var/run/fail2ban exists. This line is added.
'''[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban'''

start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \

==References==
[http://debaday.debian.net/2007/04/29/fail2ban-an-enemy-of-script-kiddies/ Fail2ban: an enemy of script-kiddies]