Difference between revisions of "Fail2ban"
m |
m |
||
Line 1: | Line 1: | ||
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb> | <yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb> | ||
=fail2ban= | =fail2ban= | ||
'''There is new article on fail2ban at [[CentOS 7.x fail2ban]]''' | |||
fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as denyhosts it is more generic. Various regular expressions are mentioned in /etc/fail2ban/filter.d/conf files. Then in /etc/fail2ban/jail.conf appropriate log file name and iptables (tcp/udp) ports are mentioned to be blocked based on failed attempts to given service. Multiple defaults for squid, apache, mail, etc. are already present and only need to be enabled. | fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as denyhosts it is more generic. Various regular expressions are mentioned in /etc/fail2ban/filter.d/conf files. Then in /etc/fail2ban/jail.conf appropriate log file name and iptables (tcp/udp) ports are mentioned to be blocked based on failed attempts to given service. Multiple defaults for squid, apache, mail, etc. are already present and only need to be enabled. |
Revision as of 15:39, 30 December 2017
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>
fail2ban
There is new article on fail2ban at CentOS 7.x fail2ban
fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as denyhosts it is more generic. Various regular expressions are mentioned in /etc/fail2ban/filter.d/conf files. Then in /etc/fail2ban/jail.conf appropriate log file name and iptables (tcp/udp) ports are mentioned to be blocked based on failed attempts to given service. Multiple defaults for squid, apache, mail, etc. are already present and only need to be enabled.
Steps for installing fail2ban are:
- Setup epel repository (yum -y install epel-release)
- yum -y install fail2ban
- service fail2ban start
- chkconfig fail2ban on
For CentOS 7 refer to http://unix.stackexchange.com/questions/171567/installing-fail2ban-on-centos-7 including information on configuring fail2ban with SELinux enabled. Following links also have useful information:
- http://www.servermom.org/install-fail2ban-centos/1809/
- http://lintut.com/install-fail2ban-on-centos-7/
Automated fail2ban installation
Automated fail2ban installation via ansible can be achieved using:
vars: epel_download_url: http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm epel_download_path: /root/epel-release-6-8.noarch.rpm tasks: #Setup epel for downloading fail2ban - name: Download epel RPM get_url: url="{{ epel_download_url }}" dest="{{epel_download_path}}" timeout=5 environment: proxy_env - name: Install epel RPM yum: name="{{epel_download_path}}" state=present environment: proxy_env #Install fail2ban and enable it on startup - name: Install fail2ban yum: name=fail2ban state=present - name: Start and enable fail2ban service service: name=fail2ban state=started enabled=yes
Configuring fail2ban
To configure fail2ban according to our needs use following steps:
- Install fail2ban as described above
- Create a local configuration file to override defaults using 'cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local'
- Edit jail.local as follows:
- Configure ignoreip, bantime, findtime and maxretry values
- Enable protection of appropriate services by setting 'enabled=true' for respective service
- Optionally look at mail related configuration at '/etc/fail2ban/action.d/sendmail-whois.conf'
- Restart fail2ban for changes to take effect
- Look at iptables-save output to see current filter rules added by fail2ban
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>