Fail2ban protects linux security

1. Download and install
# Wget http://cdnetworks-kr-2.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2
 
# Tar xvfj fail2ban-0.8.4.tar.bz2
# Cd fail2ban-0.8.4
# Python setup. py install
# Cd files
# Cp./redhat-initd/etc/init. d/fail2ban
# Chkconfig -- add fail2ban
# Service fail2ban start Note: If you restart iptables, you must restart fail2ban. Otherwise, it will not take effect. The fail2ban filter table is added after iptables is started.
Ii. Configuration
By default, fail2ban. conf contains three parameters, which are annotated.
# Default Log Level
Loglevel = 3
# Log Purpose
Logtarget =/var/log/fail2ban. log
# Socket location
Socket =/tmp/fail2ban. sock
In the jail. conf configuration, the specific service configurations protected by fail2ban are described in SSH.
There is a [DEFAULT] segment in jail. conf. The parameter in this segment is a global parameter and can be overwritten by other segments.
 
# Ignore the IP address. The IP address in this list will not be blocked.
Ignoreip = 127.0.0.1 172.13.14.15
# Shielding time
Banktime = 600
# Time detected. If the number of retries exceeds the specified number, fail2ban is activated.
Findtime= 600
# Number of attempts
Maxretry = 3
# Log modification Detection Mechanism
Backend = auto
 
[Ssh-iptables]
# Activation
Enabled = true
# Filter Name, under the filter. d directory
Filter = sshd
# The job used can be found in the action. d directory by name.
Action = iptables [name = SSH, port = ssh, protocol = tcp]
Mail-whois [name = SSH, dest = root]
# Objective Log Analysis
Logpath =/var/log/secure
# Overwrite the number of global retries
Maxretry = 5
# Overwrite the global shielding time
Banktime = 3600
 
After setting jail. conf, you can use fail2ban.
 
Start fail2ban
/Etc/init. d/fail2ban start
After the filter is started, the corresponding action is executed as long as the log items that comply with the regular expression rules defined by the filter appear. Because the 0.8 source code tree adopts the Client/Server mode, you can easily query the execution of fail2ban. For example, to query the "ssh-iptables" segment just defined, you only need to execute
 
Iii. test:
The fail2ban-client status ssh-iptables
 
The result is printed.
Status for the jail: ssh-iptables
|-Filter
|-Currently failed: 0
| '-Total failed: 5
'-Action
|-Currently banned: 1
| '-IP list: 192.168.210.21
'-Total banned: 1
The fail2ban-client can also directly define the fail2ban parameter in the running
For example, the added shielding time is one day.
Fail2ban-client set ssh-iptables bantime 86400
Re-read the configuration file
Fail2ban-client reload
There are many other ways to run the fail2ban-client without arguments to view more options.
Because of the fail2ban framework, you can modify the filter or action to meet your special needs. For example, if I want to change the default iptables rule Insertion Method of fail2ban, I can go to action. d directory, find the action you want to modify. The example here is iptables. conf
One of the iptables rules of the default actionstart is
Iptables-I INPUT-p <protocol> -- dport <port>-j fail2ban-<name>
In this way, the fail2ban rule is inserted at the beginning of the INPUT chain, I want to write an iptables-A INPUT-p ALL-s 1.2.3.4/32-j ACCEPT as the first rule, so that my IP address as A trusted IP address is not restricted by the rules behind the firewall.. Modify the startup rule of fail2ban and change the above rule
Iptables-I INPUT 2-p <protocol> -- dport <port>-j fail2ban-<name>
In this way, fail2ban inserts its rules as the second rule of the INPUT chain without affecting the first rule.
Here is just a simple example. You can make more changes to the action according to your own rules.
The filter. d directory contains regular log matching rules. The system comes with some common software matching rules, such as sshd, apache, postfix, vsftpd, and pure-ftpd. Let's take a look at the sshd rules to understand how these filters should be written, and you can use fail2ban to protect more of your own services.
Content of sshd. conf
[Definition] www.2cto.com
Failregex = Authentication failure for. * from <HOST>
Failed [-/\ w] + for. * from <HOST>
Root login refused. * FROM <HOST>
[II] (? : Llegal | nvalid) user. * from <HOST>
Ignoreregex =
As you can see, there is a regular expression in each line, corresponding to various types of error authentication. If your sshd version does not have the same log items, you can modify them here or add more.
After the configuration is complete, check the log/var/log/fail2ban. log for a while ~ : Cool:
2012-05-30 17:42:49, 681 fail2ban. actions: WARNING [ssh-iptables] Ban 219.235.231.76
2007-05-30 17:48:00, 823 fail2ban. actions: WARNING [ssh-iptables] Ban 60.191.63.180
2007-05-30 18:42:50, 456 fail2ban. actions: WARNING [ssh-iptables] Unban 219.235.231.76
2007-05-30 18:48:01, 424 fail2ban. actions: WARNING [ssh-iptables] Unban 60.191.63.180
2007-05-30 23:14:43, 921 fail2ban. actions: WARNING [ssh-iptables] Ban 59.42.210.176
2007-05-31 00:14:44, 797 fail2ban. actions: WARNING [ssh-iptables] Unban 59.42.210.176
2007-05-31 01:49:14, 241 fail2ban. actions: WARNING [ssh-iptables] Ban 58.143.242.123
2007-05-31 02:49:15, 236 fail2ban. actions: WARNING [ssh-iptables] Unban 58.143.242.123
2007-05-31 07:20:54, 717 fail2ban. actions: WARNING [ssh-iptables] Ban 210.51.22.207
2007-05-31 08:20:55, 297 fail2ban. actions: WARNING [ssh-iptables] Unban 210.51.22.207