CentOS Fail2ban Installation and configuration detailed _linux

Source: Internet
Author: User
Tags auth imap inotify system log wrapper dovecot iptables phpmyadmin


Introduction of Fail2ban

Fail2ban can monitor your system log, and then match the log error message (regular match) to perform the appropriate shielding action (usually firewall), and can send e-mail notification system administrator, is not very good, very practical, very powerful!

Two, simple to introduce the function and characteristics of Fail2ban

1, support a large number of services. such as SSHD,APACHE,QMAIL,PROFTPD,SASL and so on
2, support a variety of actions. such as Iptables,tcp-wrapper,shorewall (iptables third-party tools), mail notifications (mail notification), and so on.
3. Support wildcard characters in the LogPath option
4. Need gamin Support (note: Gamin is a service tool for monitoring files and directories for changes)
5, need to install python,iptables,tcp-wrapper,shorewall,gamin. If you want to send an email, you must install Postfix/sendmail

Three, Fail2ban installation and configuration Operation example

1: Install epel update Source: HTTP://FEDORAPROJECT.ORG/WIKI/EPEL/ZH-CN

Copy Code code as follows:
# yum Install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes Fail2ban

Or
Copy Code code as follows:
# yum Install Gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# RPM-IVH fail2ban-0.8.11-2.el6.noarch.rpm

Or
Copy Code code as follows:
# yum Install Gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# RPM-IVH fail2ban-0.8.4-29.el5.noarch.rpm

2: Source Package Installation

Copy Code code as follows:

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# TAR-XZVF Fail2ban-0.9.0.tar.gz
# CD
#./setup.py
# CP Files/solaris-svc-fail2ban/lib/svc/method/svc-fail2ban
# chmod +x/lib/svc/method/svc-fail2ban

Installation path
Copy Code code as follows:

/etc/fail2ban
ACTION.D FILTER.D fail2ban.conf jail.conf

We mainly edit jail.conf this configuration file, others do not care about it.
Copy Code code as follows:

# vi/etc/fail2ban.conf

SSH anti-attack rules

Copy Code code as follows:

[Ssh-iptables]

Enabled = True
Filter = sshd
Action = Iptables[name=ssh, Port=ssh, Protocol=tcp]
Sendmail-whois[name=ssh, Dest=root, sender=fail2ban@example.com, sendername= "Fail2ban"]
LogPath =/var/log/secure
Maxretry = 5

[Ssh-ddos]
Enabled = True
Filter = Sshd-ddos
Action = Iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
LogPath =/var/log/messages
Maxretry = 2

[OSX-SSH-IPFW]

Enabled = True
Filter = sshd
Action = OSX-IPFW
LogPath =/var/log/secure.log
Maxretry = 5

[SSH-APF]

Enabled = True
Filter = sshd
Action = Apf[name=ssh]
LogPath =/var/log/secure
Maxretry = 5

[Osx-ssh-afctl]

Enabled = True
Filter = sshd
Action = osx-afctl[bantime=600]
LogPath =/var/log/secure.log
Maxretry = 5

[Selinux-ssh]
Enabled = True
Filter = Selinux-ssh
Action = Iptables[name=selinux-ssh, Port=ssh, Protocol=tcp]
LogPath =/var/log/audit/audit.log
Maxretry = 5


ProFTP anti-attack rules
Copy Code code as follows:

[Proftpd-iptables]

Enabled = True
Filter = PROFTPD
Action = iptables[name=proftpd, Port=ftp, Protocol=tcp]
SENDMAIL-WHOIS[NAME=PROFTPD, dest=you@example.com]
LogPath =/var/log/proftpd/proftpd.log
Maxretry = 6


Message anti-attack rules
Copy Code code as follows:

[Sasl-iptables]

Enabled = True
Filter = POSTFIX-SASL
Backend = Polling
Action = IPTABLES[NAME=SASL, PORT=SMTP, Protocol=tcp]
SENDMAIL-WHOIS[NAME=SASL, dest=you@example.com]
LogPath =/var/log/mail.log

[Dovecot]

Enabled = True
Filter = Dovecot
Action = Iptables-multiport[name=dovecot, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve", Protocol=tcp]
LogPath =/var/log/mail.log

[Dovecot-auth]

Enabled = True
Filter = Dovecot
Action = Iptables-multiport[name=dovecot-auth, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve", Protocol=tcp]
LogPath =/var/log/secure

[Perdition]

Enabled = True
Filter = Perdition
Action = iptables-multiport[name=perdition,port= "110,143,993,995"]
LogPath =/var/log/maillog


[Uwimap-auth]

Enabled = True
Filter = Uwimap-auth
Action = iptables-multiport[name=uwimap-auth,port= "110,143,993,995"]
LogPath =/var/log/maillog


Apache anti-attack rules
Copy Code code as follows:

[Apache-tcpwrapper]

Enabled = True
Filter = Apache-auth
Action = Hostsdeny
LogPath =/var/log/httpd/error_log
Maxretry = 6

[Apache-badbots]

Enabled = True
Filter = Apache-badbots
Action = Iptables-multiport[name=badbots, port= "Http,https"]
Sendmail-buffered[name=badbots, Lines=5, dest=you@example.com]
LogPath =/var/log/httpd/access_log
Bantime = 172800
Maxretry = 1

[Apache-shorewall]

Enabled = True
Filter = Apache-noscript
Action = Shorewall
Sendmail[name=postfix, dest=you@example.com]
LogPath =/var/log/httpd/error_log


Nginx anti-attack rules
Copy Code code as follows:

[Nginx-http-auth]

Enabled = True
Filter = Nginx-http-auth
Action = iptables-multiport[name=nginx-http-auth,port= "80,443"]
LogPath =/var/log/nginx/error.log


LIGHTTPD rules for preventing and regulating the attack
Copy Code code as follows:

[Suhosin]

Enabled = True
Filter = Suhosin
Action = Iptables-multiport[name=suhosin, port= "Http,https"]
# adapt the following two items as needed
LogPath =/var/log/lighttpd/error.log
Maxretry = 2

[Lighttpd-auth]

Enabled = True
Filter = Lighttpd-auth
Action = Iptables-multiport[name=lighttpd-auth, port= "Http,https"]
# adapt the following two items as needed
LogPath =/var/log/lighttpd/error.log
Maxretry = 2


VSFTPD anti-attack rules
Copy Code code as follows:

[Vsftpd-notification]

Enabled = True
Filter = VSFTPD
Action = SENDMAIL-WHOIS[NAME=VSFTPD, dest=you@example.com]
LogPath =/var/log/vsftpd.log
Maxretry = 5
Bantime = 1800

[Vsftpd-iptables]

Enabled = True
Filter = VSFTPD
Action = iptables[name=vsftpd, Port=ftp, Protocol=tcp]
SENDMAIL-WHOIS[NAME=VSFTPD, dest=you@example.com]
LogPath =/var/log/vsftpd.log
Maxretry = 5
Bantime = 1800


PURE-FTPD anti-attack rules
Copy Code code as follows:

[PURE-FTPD]
Enabled = True
Filter = PURE-FTPD
Action = iptables[name=pure-ftpd, Port=ftp, Protocol=tcp]
LogPath =/var/log/pureftpd.log
Maxretry = 2
Bantime = 86400

MySQL anti-attack rules
Copy Code code as follows:

[Mysqld-iptables]

Enabled = True
Filter = Mysqld-auth
Action = Iptables[name=mysql, port=3306, Protocol=tcp]
Sendmail-whois[name=mysql, Dest=root, sender=fail2ban@example.com]
LogPath =/var/log/mysqld.log
Maxretry = 5


Apache phpMyAdmin anti-attack rules
Copy Code code as follows:

[Apache-phpmyadmin]
Enabled = True
Filter = Apache-phpmyadmin
Action = Iptables[name=phpmyadmin, Port=http,https protocol=tcp]
LogPath =/var/log/httpd/error_log
Maxretry = 3
#/etc/fail2ban/filter.d/apache-phpmyadmin.conf
Paste the following into apache-phpmyadmin.conf to save to create a apache-phpmyadmin.conf file.

# Fail2ban configuration file
#
# bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author:gina Haeussge
#

[Definition]

Docroot =/var/www
Badadmin = pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1| Phpmyadmin2

# Option:failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values:text
#
Failregex = [[]client []] File does not exist:% (Docroot) s/(?:% (badadmin) s)

# Option:ignoreregex
# Notes.: Regex to ignore. If This regex matches, the line is ignored.
# Values:text
#
Ignoreregex =
# Service Fail2ban Restart

Write at the end, after installing Fail2ban, please restart Fail2ban immediately, see if it can start normally, Because after we have configured the rule, we can troubleshoot if there is an issue that cannot be started. If the installation is completed with the default rules can start normally, and after the rule is configured to not start normally, please check your/var/log/directory there are no rules in the logpath= behind the file, or the path to the file is consistent with the rules. If inconsistent please modify your path in LogPath, if you do not have this file in your cache directory, set the value of the enabled item for this configuration item to False. Then restart the Fail2ban so that there is generally no mistake.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.