Anti-violence hack Fail2ban python

Source: Internet
Author: User
Tags imap inotify system log dovecot phpmyadmin

Introduction of Fai2ban

Fail2ban can monitor your system log and then match the log's error message (regular match) to perform the appropriate masking action (usually called firewall masking), such as: When someone is testing your ssh, SMTP, ftp password, as long as you have reached your preset number of times, Fail2ban will call Firewall shield this IP, and can send e-mail notification system administrator, is a very practical, very powerful software!


Second, simple to introduce the function and characteristics of Fail2ban

1, support a large number of services. Like SSHD,APACHE,QMAIL,PROFTPD,SASL and so on.
2, support a variety of actions. such as Iptables,tcp-wrapper,shorewall (iptables Third Party tool), mail notifications (mail notification) and so on.
3. Wildcard characters are supported in the LogPath option
4. Need gamin Support (note: Gamin is a service tool for monitoring file and directory changes)
5, need to install python,iptables,tcp-wrapper,shorewall,gamin. If you want to send e-mail, you must install Postfix/sendmail

Three, Fail2ban installation and configuration Operation example

1: Install EPEL update Source: HTTP://FEDORAPROJECT.ORG/WIKI/EPEL/ZH-CN

# yum Install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes Fail2ban
# yum Install Gamin-python python-inotify python-ctypes# wget http://dl.fedoraproject.org/pub/epel/6/i386/ fail2ban-0.8.11-2.el6.noarch.rpm# RPM-IVH fail2ban-0.8.11-2.el6.noarch.rpm
# yum Install Gamin-python python-inotify python-ctypes# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/ fail2ban-0.8.4-29.el5.noarch.rpm# RPM-IVH fail2ban-0.8.4-29.el5.noarch.rpm

2: Source Package Installation

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0# TAR-XZVF fail2ban-0.9.0.tar.gz
/etc/fail2ban/action.d             #动作文件夹 with default files included. Iptables and Mail and other action configuration/etc/fail2ban/fail2ban.conf         #定义了fai2ban日志级别, Log location and sock file location/etc/fail2ban/filter.d            # The conditional folder, which contains the default file. Filtering log key content Settings/etc/fail2ban/jail.conf            # Main configuration file, modular. Main settings enable ban Action Service and action threshold/etc/rc.d/init.d/fail2ban          # Startup script File 3. vi /etc/fail2ban/fail2ban.conf[definition] loglevel =3 logtarget =  SYSLOG   #我们需要做的就是把这行改成/var/log/fail2ban.log, convenient for logging information  socket =/var/run/fail2ban/ fail2ban.sock4. vi /etc/fail2ban/jail.conf[default]                #全局设置ignoreip  = 127.0.0.1      # List of ignored IPs, not affected bySet Limit bantime  = 600             #屏蔽时间 , Unit: SEC findtime  = 600           # More than the specified number of times in this time period will be ban off maxretry = 3                #最大尝试次数backend  = auto              #日志修改检测机制 (three kinds of gamin, polling and auto) [sshd]                       #单个服务检查设置, such as setting Bantime, Findtime, Maxretry, and global conflicts, The service priority is greater than the global setting. enabled  = true                 #是否激活此项 (True/false) filter   = sshd                 #过滤规则filter的名字, corresponding to the sshd.confaction    in the FILTER.D directory = iptables[Name=ssh, port=ssh, protocol=tcp] #动作的相关参数, corresponding to action.d/iptables.conf file logpath  = /var/ log/secure      #检测的日志文件pathbantime   = 3600findtime  =  300 maxretry = 3                     #最大尝试次数          service  fail2ban start  Start Service

4. Unbind IP from Fail2ban

Query Restrictions List

# iptables-l--line-numbers

Chain fail2ban-ssh (1references)

Num Target prot opt source destination

1 DROP All--118.152.158.61.HA.CNC anywhere

2 RETURN All-anywhere anywhere

Lifting limits

# iptables-d Fail2ban-ssh 1


We mainly edit jail.conf this configuration file, others do not care about it



# vi/etc/fail2ban.conf

SSH anti-attack rules

ssh-iptables]enabled  = truefilter   = sshdaction   =  iptables[name=ssh, port=ssh, protocol=tcp]            sendmail-whois[name=ssh, dest=root, [email protected], sendername= "Fail2Ban"] logpath  = /var/log/securemaxretry = 5[ssh-ddos]enabled = truefilter   = SSHD-DDOSACTION  = IPTABLES[NAME=SSH-DDOS, PORT=SSH,SFTP PROTOCOL=TCP, udp]logpath  = /var/log/messagesmaxretry = 2[osx-ssh-ipfw]enabled  =  truefilter   = sshdaction   = osx-ipfwlogpath  = /var/ log/secure.logmaxretry = 5[ssh-apf]enabled = truefilter  = sshdaction   = apf[name=ssh]logpath = /var/log/securemaxretry = 5[osx-ssh-afctl]enabled   = truefilter   = sshdaction   = osx-afctl[bantime=600]logpath  =  /var/log/secure.logmaxretry = 5[selinux-ssh]enabled = truefilter  =  selinux-sshaction  = iptables[name=selinux-ssh, port=ssh, protocol=tcp]logpath   = /var/log/audit/audit.logmaxretry = 5
 
ProFTP anti-attack rule  [proftpd-iptables]enabled  = truefilter   = proftpdaction    = iptables[name=ProFTPD, port=ftp, protocol=tcp]            sendmail-whois[name=proftpd, [email protected]]logpath   = /var/log/proftpd/proftpd.logmaxretry = 6 email anti-attack rules  [sasl-iptables]enabled   = truefilter   = postfix-saslbackend  = pollingaction    = iptables[name=sasl, port=smtp, protocol=tcp]            sendmail-whois[name=sasl, [email protected]]logpath  =  /var/log/mail.log[dovecot]enabled = truefilter  = dovecotaction  =  Iptables-multiport[name=dovecot, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve",  protocol=tcp] logpath = /var/log/mail.log[dovecot-auth]enabled = truefilter  = dovecotaction  =  Iptables-multiport[name=dovecot-auth, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve",  protocol= tcp]logpath = /var/log/secure[perdition]enabled = truefilter  =  Perditionaction  = iptables-multiport[name=perdition,port= "110,143,993,995"]logpath =  /var/log/maillog[uwimap-auth]enabled = truefilter  = uwimap-authaction   = iptables-multiport[name=uwimap-auth,port= "110,143,993,995"]logpath = /var/log/ Maillogapache anti-attack rules  [apache-tcpwrapper]enabled  = truefilter  =  Apache-authaction   = hostsdenylogpath  = /var/log/httpd/error_logmaxretry  = 6[apache-badbots]enabled  = truefilter   =  apache-badbotsaction   = iptables-multiport[name=badbots,&Nbsp;port= "Http,https"]           sendmail-buffered[ Name=badbots, lines=5, [email protected]]logpath  = /var/log/httpd/access_ logbantime  = 172800maxretry = 1[apache-shorewall]enabled  =  truefilter   = apache-noscriptaction   = shorewall            sendmail[name=postfix, [email protected]]logpath   = /var/log/httpd/error_lognginx anti-attack rule  [nginx-http-auth]enabled = truefilter   = nginx-http-authaction  = iptables-multiport[name=nginx-http-auth,port= " 80,443 "]logpath = /var/log/nginx/error.loglighttpd anti-attack rules  [suhosin]enabled  =  Truefilter   = suhosinaction   = iptables-multiport[name=suhosin,  port= "Http,https"]# adapt the fOllowing two items as neededlogpath  = /var/log/lighttpd/error.logmaxretry  = 2[lighttpd-auth]enabled  = truefilter   = lighttpd-authaction    = iptables-multiport[name=lighttpd-auth, port= "Http,https"]# adapt the  following two items as neededlogpath  = /var/log/lighttpd/ ERROR.LOGMAXRETRY = 2VSFTPD anti-attack rule  [vsftpd-notification]enabled  = truefilter    = vsftpdaction   = sendmail-whois[name=VSFTPD, [email  protected]]logpath  = /var/log/vsftpd.logmaxretry = 5bantime  = 1800[ vsftpd-iptables]enabled  = truefilter   = vsftpdaction   =  iptables[name=VSFTPD, port=ftp, protocol=tcp]            sendmail-whois[name=vsftpd, [email protected]]logpath  = /var/log/vsftpd.logmaxretry =  5BANTIME  = 1800PURE-FTPD anti-attack rules  [pure-ftpd]enabled  = truefilter    = pure-ftpdaction   = iptables[name=pure-ftpd, port=ftp, protocol=tcp ]logpath  = /var/log/pureftpd.logmaxretry = 2bantime  =  86400mysql anti-attack rules  [mysqld-iptables]enabled  = truefilter   =  mysqld-authaction   = iptables[name=mysql, port=3306, protocol=tcp]            sendmail-whois[name=mysql, dest=root, [email  protected]]logpath  = /var/log/mysqld.logmaxretry = 5apache phpmyadmin   Anti-attack rule [apache-phpmyadmin]enabled  = truefilter   =  apache-phpmyadminaction  = iptables[name=phpmyadmin, port=http,https protocol=tcp]logpath  = /var/log/httpd/error_logmaxretry =  3# /etc/fail2ban/filter.d/ apache-phpmyadmin.conf paste the following into the apache-phpmyadmin.conf to create a apache-phpmyadmin.conf file .# fail2ban  configuration file## bans bots scanning for non-existing phpmyadmin  installations on your webhost.## author: gina haeussge#[definition]docroot  = /var/wwwbadadmin = pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb |mydb|db|pmadb|phpmyadmin1|phpmyadmin2# option:  failregex# notes.:  regexp  to match often probed and not available phpmyadmin paths.#  Values:  text#failregex = [[]client []] file does not exist:  % (Docroot) s/(?:% (badadmin) s) # option:  ignoreregex# notes.:  regex to ignore. if this regex matches, the line is ignored.#  values:  text#ignoreregex =# service fail2ban restart wrote in the end, After installing the Fail2ban, please restart the fail2ban immediately, see if it can start normally, Because after we have configured the rules after the rule, if there is an issue that cannot be started, we can troubleshoot. If you start with the default rules after installation, and after the rules are configured to start normally, please check your  /var/log/  directory for any rules  logpath=  the file in the back, or the path of the file is not consistent with the rules .  if inconsistent, modify your path in the  logpath ,  if your cache directory does not have this file, Then please set the value of the  enabled  project for this configuration item to  false.  and then restart Fail2ban, so there is usually no error.


This article from "Insist is Victory" blog, reproduced please contact the author!

Anti-violence hack Fail2ban python

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.