The use of Fail2ban

has always been written with a script to do to prevent malicious links. The principle is to log at a certain time interval, more than 3 IP added to the iptables inside ban. It's always been peaceful.

I do not know whether the reason for the release of PB4, today found that there are a lot of "Authentication Failure" records, and a lot, a large number, my script to be eliminated. Had to go to Fail2ban.

The latest 0.83 version of Fail2ban needs to be above Python 2.4. My system is very old, as4u4, can not meet the conditions, directly up Python is afraid to affect the system other tools error. Then make a new one.

# wget Http://www.python.org/ftp/python/2.5.2/Python-2.5.2.tgz # TAR-ZXVF python-2.5.2.tgz # cd Python-2.5.2 #./configu Re--prefix=/usr/local/python-2.52 # make && make install # cd/usr/local/# ln-s Python-2.51/python

This way, Python 2.52 is loaded.

# wget http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2 # bzip2-d fail2ban-0.8.3.tar.bz2 # TAR-XVF Fail2ban-0.8.3.tar # MV fail2ban-0.8.3 Fail2ban # cd Fail2ban #/usr/local/python/bin/python setup.py Install

Move the generated executable file to/usr/bin

# mv/usr/local/python/bin/fail2ban-*/usr/bin

If there is no accident, Fai2ban also installed. All the configuration files are in the/etc/fail2ban directory. Copy source code tree files directory redhat-initd to init.d directory with from BOOT.

CP Files/redhat-initd/etc/init.d/fail2ban chmod 0755/etc/init.d/fail2ban

Finally, write a logrotate configuration file and copy it into/etc/logrotate.d/fail2ban to periodically clean up the log files

/var/log/fail2ban.log {Missingok notifempty size 30k Create 0600 root root postrotate/usr/bin/fail2ban-client reload T /dev/null | | True Endscript}

Simple settings under the jail.conf can be started Fail2ban the following:

The default fail2ban.conf contains three parameters and is commented on.
#默认日志的级别
loglevel = 3
#日志的目的
Logtarget =/var/log/fail2ban.log
#socket的位置
Socket =/tmp/fail2ban.sock
The jail.conf configuration is the configuration of the specific services that Fail2ban protects, as in SSH. <!–break–>
There is a [DEFAULT] section in the jail.conf, and the parameters under this section are global and can be overwritten by other segments.
#忽略IP, the IP in this list will not be blocked
Ignoreip = 127.0.0.1 172.13.14.15
#屏蔽时间
Bantime = 600
#发现时间, retries over a specified number of times during this period will activate Fail2ban
Findtime = 600
#尝试次数
Maxretry = 3
#日志修改检测机制
Backend = Auto

[Ssh-iptables]
#激活
Enabled = True
#filter的名字, under the FILTER.D directory
Filter = sshd
#所采用的工作, according to the name can be found in the ACTION.D directory
Action = Iptables[name=ssh, Port=ssh, Protocol=tcp]
Mail-whois[name=ssh, Dest=root]
#目的分析日志
LogPath =/var/log/secure
#覆盖全局重试次数
Maxretry = 5
#覆盖全局屏蔽时间
Bantime = 3600
After the jail.conf is set up, you can use the Fail2ban.
Start Fail2ban
/etc/init.d/fail2ban start
After startup, the corresponding action is performed whenever a log entry that matches the regular rule defined by filter is present. Because the 0.8 source tree uses the client/server mode, it is convenient to query Fail2ban implementation. For example, to query the "ssh-iptables" section just defined, just execute
Fail2ban-client Status Ssh-iptables
Will print out the results
Status for the Jail:ssh-iptables
|-Filter
| | |-currently FAILED:0
| '-Total Failed:5
'-Action
|-currently Banned:1
| '-IP list:192.168.210.21
'-Total banned:1
Fail2ban-client can also directly define the Fail2ban parameters in the run
For example, to increase the shielding time for one day
Fail2ban-client Set Ssh-iptables bantime 86400
Re-read the configuration file
Fail2ban-client Reload
There are many other uses where you can perform fail2ban-client without parameters to see more options.
Because of the Fail2ban framework, you can modify the filter or action to meet your special needs, such as I want to change the Fail2ban default iptables rule insertion method, So I can go to the ACTION.D directory and find the action that I want to modify, and here's the example of iptables.conf
The default actionstart iptables rule has a
Iptables-i input-p <protocol>–dport <port>-j fail2ban-<name>
This fail2ban the rules of the INPUT chain to the front, and I want to write a iptables-a input-p all-s 1.2.3.4/32-j Accept has been used as the first rule to make its IP as a trusted IP, not limited by the rules behind the firewall. Then you need to revise the Fail2ban start rule and change the above clause to
Iptables-i INPUT 2-p <protocol>–dport <port>-j fail2ban-<name>
So Fail2ban will insert its own rules as the second rule in the input chain, without affecting the first one.
Here is just a simple example where you can make more changes to the action according to your own rules.
And in the FILTER.D directory is some log of regular matching rules, the system brought some common software matching, such as sshd,apache,postfix,vsftpd,pure-ftpd and so on. Look at the rules of sshd, you can understand how these filter should be written, you can use Fail2ban to protect more of their own services.
The content of sshd.conf
[Definition]
Failregex = authentication failure for. * FROM <HOST>
Failed [-/\w]+ for. * FROM <HOST>
ROOT LOGIN refused. * FROM <HOST>
[II] (?: llegal|nvalid) User. * FROM <HOST>
Ignoreregex =
You can see, each line a regular, corresponding to a variety of error certification, if your SSHD version error authentication log entries are not the same, you can modify here, or add more.
After the complete setup, after a period of time, to view the log/var/log/fail2ban.log, hehe ~: Cool:
2007-05-30 17:42:49,681 Fail2ban.actions:WARNING [ssh-iptables] Ban 219.235.231.76
2007-05-30 17:48:00,823 Fail2ban.actions:WARNING [ssh-iptables] Ban 60.191.63.180
2007-05-30 18:42:50,456 Fail2ban.actions:WARNING [ssh-iptables] unban 219.235.231.76
2007-05-30 18:48:01,424 Fail2ban.actions:WARNING [ssh-iptables] unban 60.191.63.180
2007-05-30 23:14:43,921 Fail2ban.actions:WARNING [ssh-iptables] Ban 59.42.210.176
2007-05-31 00:14:44,797 Fail2ban.actions:WARNING [ssh-iptables] unban 59.42.210.176
2007-05-31 01:49:14,241 Fail2ban.actions:WARNING [ssh-iptables] Ban 58.143.242.123
2007-05-31 02:49:15,236 Fail2ban.actions:WARNING [ssh-iptables] unban 58.143.242.123
2007-05-31 07:20:54,717 Fail2ban.actions:WARNING [ssh-iptables] Ban 210.51.22.207
2007-05-31 08:20:55,297 Fail2ban.actions:WARNING [ssh-iptables] unban 210.51.22.207

=============

The source code can be downloaded here to:
http://sourceforge.net/project/showfiles.php?group_id=121032&package_id=132537

1. Installed on the RHEL5


TAR-JXVF fail2ban-0.8.3.tar.bz2

Then go to directory CD fail2ban-0.8.3/
Execute with Root user

./setup.py Install

Config file is now installed under/etc/fail2ban

Next
CP Fail2ban-0.8.3/files/suse-initd/etc/init.d/fail2ban
chmod 755/etc/init.d/fail2ban

Integrate Fail2ban into logrotate:

Create file "/etc/logrotate.d/fail2ban":/var/log/fail2ban.log {
Weekly
Rotate 7
Missingok
Compress
Postrotate
/usr/bin/fail2ban-client Reload 1>/dev/null | | True Endscript}

Note:

The path to your fail2ban-client needs to be adjusted (# Whereis Fail2ban-client)

# Trick IP Range If there are more than two groups with whitespace as the interval 192.168.10.0/24
IGNOREIP = 127.0.0.1

# Set the IP blocked time (seconds), if the value is-1, the representative forever blocked
Bantime = 600

# set the number of times to reach Maxretry to block
Findtime = 600

# Number of attempts allowed
Maxretry = 3

#分类设置
#针对sshd暴力入侵防护

[Ssh-iptables]

Enabled = True
Filter = sshd
Action = Iptables[name=ssh, Port=ssh, Protocol=tcp]
Mail-whois[name=ssh, Dest=root]
LogPath =/var/log/secure
# If there's a specific number of times set it up here
Maxretry = 5

#针对vsftpd暴力入侵防护

[Vsftpd-iptables]

Enabled = True
Filter = VSFTPD
Action = iptables[name=vsftpd, Port=ftp, Protocol=tcp]
SENDMAIL-WHOIS[NAME=VSFTPD, dest=you@mail.com]
LogPath =/var/log/secure
Maxretry = 3
Bantime = 1800

The proposal is set to Maxretry 3 to indicate that 3 errors are blocked.

2. Now start Fail2ban test with an IP constantly try to login ssh

Here is a small section of secure, modified

Did not receive identification string from 192.168.11.2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41017 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41096 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41162 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41209 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41267 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41323 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41376 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41433 ssh2
Invalid user test from 192.168.11.2
Failed password for invalid user test from 192.168.11.2 Port 41484 ssh2

Let's take a look at Fail2ban's log Fail2ban.actions:WARNING [ssh-iptables] Ban 192.168.11.2
Fail2ban.actions:WARNING [ Ssh-iptables] unban 192.168.11.2

rpm installed
A. Download Fail2ban
ELinks http://dag.wieers.com/rpm/packages/ fail2ban/fail2ban-0.8.1-1.el5.rf.noarch.rpm
B. Install
RPM-IVH fail2ban-0.8.1-1.el5.rf.noarch.rpm

3. Set br> vim/etc/fail2ban/jail.conf

Ignoreip = 192.168.1.0/24   (ignored IP)
Bantime = 3600   (time locked)
Findtime =   (search time range)
Maxretry = 3   (number of bugs)

Example:
[ssh-iptables]

Enabled = True & nbsp (True to turn off false)
Filter = sshd
action = iptables[name=ssh, port=22, protocol=tcp]
Sendmail-whois[name=ssh, dest=you@mail.com , sender=fail2ban@mail.com]
LogPath =/var/log/secure   (log position)
Maxretry = 3

4. Restart service after setting
Servi Ce fail2ban restart

# fail2ban-client Status Ssh-iptables
Status for the Jail:ssh-iptables
|-Filter
| |-File list:/var/log/secure
| |-currently failed:0
| '-Total failed:20
'-Action
|-currently Banned:1
| '-IP list:218.232.104.223
'-Total banned: 3

And a total of three 2008-04-20 01:39:55,645 Fail2ban.actions:WARNING [ssh-iptables] Ban 212.241.214.176
2008-04-20 02:39:56,301 Fail2ban.actions:WARNING [ssh-iptables] unban 212.241.214.176
2008-04-20 03:59:58,811 Fail2ban.actions:WARNING [ssh-iptables] Ban 218.28.41.108