CentOS Fail2ban Installation and configuration detailed _linux

Introduction of Fail2ban

Fail2ban can monitor your system log, and then match the log error message (regular match) to perform the appropriate shielding action (usually firewall), and can send e-mail notification system administrator, is not very good, very practical, very powerful!

Two, simple to introduce the function and characteristics of Fail2ban

1, support a large number of services. such as SSHD,APACHE,QMAIL,PROFTPD,SASL and so on
2, support a variety of actions. such as Iptables,tcp-wrapper,shorewall (iptables third-party tools), mail notifications (mail notification), and so on.
3. Support wildcard characters in the LogPath option
4. Need gamin Support (note: Gamin is a service tool for monitoring files and directories for changes)
5, need to install python,iptables,tcp-wrapper,shorewall,gamin. If you want to send an email, you must install Postfix/sendmail

Three, Fail2ban installation and configuration Operation example

1: Install epel update Source: HTTP://FEDORAPROJECT.ORG/WIKI/EPEL/ZH-CN

Copy Code code as follows:

# yum Install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes Fail2ban

Or

Copy Code code as follows:

# yum Install Gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# RPM-IVH fail2ban-0.8.11-2.el6.noarch.rpm

Or

Copy Code code as follows:

# yum Install Gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# RPM-IVH fail2ban-0.8.4-29.el5.noarch.rpm

2: Source Package Installation

Copy Code code as follows:

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# TAR-XZVF Fail2ban-0.9.0.tar.gz
# CD
#./setup.py
# CP Files/solaris-svc-fail2ban/lib/svc/method/svc-fail2ban
# chmod +x/lib/svc/method/svc-fail2ban

Installation path

Copy Code code as follows:

/etc/fail2ban
ACTION.D FILTER.D fail2ban.conf jail.conf

We mainly edit jail.conf this configuration file, others do not care about it.

Copy Code code as follows:

# vi/etc/fail2ban.conf

SSH anti-attack rules

Copy Code code as follows:

[Ssh-iptables]

Enabled = True
Filter = sshd
Action = Iptables[name=ssh, Port=ssh, Protocol=tcp]
Sendmail-whois[name=ssh, Dest=root, sender=fail2ban@example.com, sendername= "Fail2ban"]
LogPath =/var/log/secure
Maxretry = 5

[Ssh-ddos]
Enabled = True
Filter = Sshd-ddos
Action = Iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
LogPath =/var/log/messages
Maxretry = 2

[OSX-SSH-IPFW]

Enabled = True
Filter = sshd
Action = OSX-IPFW
LogPath =/var/log/secure.log
Maxretry = 5

[SSH-APF]

Enabled = True
Filter = sshd
Action = Apf[name=ssh]
LogPath =/var/log/secure
Maxretry = 5

[Osx-ssh-afctl]

Enabled = True
Filter = sshd
Action = osx-afctl[bantime=600]
LogPath =/var/log/secure.log
Maxretry = 5

[Selinux-ssh]
Enabled = True
Filter = Selinux-ssh
Action = Iptables[name=selinux-ssh, Port=ssh, Protocol=tcp]
LogPath =/var/log/audit/audit.log
Maxretry = 5

ProFTP anti-attack rules

Copy Code code as follows:

[Proftpd-iptables]

Enabled = True
Filter = PROFTPD
Action = iptables[name=proftpd, Port=ftp, Protocol=tcp]
SENDMAIL-WHOIS[NAME=PROFTPD, dest=you@example.com]
LogPath =/var/log/proftpd/proftpd.log
Maxretry = 6

Message anti-attack rules

Copy Code code as follows:

[Sasl-iptables]

Enabled = True
Filter = POSTFIX-SASL
Backend = Polling
Action = IPTABLES[NAME=SASL, PORT=SMTP, Protocol=tcp]
SENDMAIL-WHOIS[NAME=SASL, dest=you@example.com]
LogPath =/var/log/mail.log

[Dovecot]

Enabled = True
Filter = Dovecot
Action = Iptables-multiport[name=dovecot, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve", Protocol=tcp]
LogPath =/var/log/mail.log

[Dovecot-auth]

Enabled = True
Filter = Dovecot
Action = Iptables-multiport[name=dovecot-auth, port= "Pop3,pop3s,imap,imaps,submission,smtps,sieve", Protocol=tcp]
LogPath =/var/log/secure

[Perdition]

Enabled = True
Filter = Perdition
Action = iptables-multiport[name=perdition,port= "110,143,993,995"]
LogPath =/var/log/maillog

[Uwimap-auth]

Enabled = True
Filter = Uwimap-auth
Action = iptables-multiport[name=uwimap-auth,port= "110,143,993,995"]
LogPath =/var/log/maillog

Apache anti-attack rules

Copy Code code as follows:

[Apache-tcpwrapper]

Enabled = True
Filter = Apache-auth
Action = Hostsdeny
LogPath =/var/log/httpd/error_log
Maxretry = 6

[Apache-badbots]

Enabled = True
Filter = Apache-badbots
Action = Iptables-multiport[name=badbots, port= "Http,https"]
Sendmail-buffered[name=badbots, Lines=5, dest=you@example.com]
LogPath =/var/log/httpd/access_log
Bantime = 172800
Maxretry = 1

[Apache-shorewall]

Enabled = True
Filter = Apache-noscript
Action = Shorewall
Sendmail[name=postfix, dest=you@example.com]
LogPath =/var/log/httpd/error_log

Nginx anti-attack rules

Copy Code code as follows:

[Nginx-http-auth]

Enabled = True
Filter = Nginx-http-auth
Action = iptables-multiport[name=nginx-http-auth,port= "80,443"]
LogPath =/var/log/nginx/error.log

LIGHTTPD rules for preventing and regulating the attack

Copy Code code as follows:

[Suhosin]

Enabled = True
Filter = Suhosin
Action = Iptables-multiport[name=suhosin, port= "Http,https"]
# adapt the following two items as needed
LogPath =/var/log/lighttpd/error.log
Maxretry = 2

[Lighttpd-auth]

Enabled = True
Filter = Lighttpd-auth
Action = Iptables-multiport[name=lighttpd-auth, port= "Http,https"]
# adapt the following two items as needed
LogPath =/var/log/lighttpd/error.log
Maxretry = 2

VSFTPD anti-attack rules

Copy Code code as follows:

[Vsftpd-notification]

Enabled = True
Filter = VSFTPD
Action = SENDMAIL-WHOIS[NAME=VSFTPD, dest=you@example.com]
LogPath =/var/log/vsftpd.log
Maxretry = 5
Bantime = 1800

[Vsftpd-iptables]

Enabled = True
Filter = VSFTPD
Action = iptables[name=vsftpd, Port=ftp, Protocol=tcp]
SENDMAIL-WHOIS[NAME=VSFTPD, dest=you@example.com]
LogPath =/var/log/vsftpd.log
Maxretry = 5
Bantime = 1800

PURE-FTPD anti-attack rules

Copy Code code as follows:

[PURE-FTPD]
Enabled = True
Filter = PURE-FTPD
Action = iptables[name=pure-ftpd, Port=ftp, Protocol=tcp]
LogPath =/var/log/pureftpd.log
Maxretry = 2
Bantime = 86400

MySQL anti-attack rules

Copy Code code as follows:

[Mysqld-iptables]

Enabled = True
Filter = Mysqld-auth
Action = Iptables[name=mysql, port=3306, Protocol=tcp]
Sendmail-whois[name=mysql, Dest=root, sender=fail2ban@example.com]
LogPath =/var/log/mysqld.log
Maxretry = 5

Apache phpMyAdmin anti-attack rules

Copy Code code as follows:

[Apache-phpmyadmin]
Enabled = True
Filter = Apache-phpmyadmin
Action = Iptables[name=phpmyadmin, Port=http,https protocol=tcp]
LogPath =/var/log/httpd/error_log
Maxretry = 3
#/etc/fail2ban/filter.d/apache-phpmyadmin.conf
Paste the following into apache-phpmyadmin.conf to save to create a apache-phpmyadmin.conf file.

# Fail2ban configuration file
#
# bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author:gina Haeussge
#

[Definition]

Docroot =/var/www
Badadmin = pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1| Phpmyadmin2

# Option:failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values:text
#
Failregex = [[]client []] File does not exist:% (Docroot) s/(?:% (badadmin) s)

# Option:ignoreregex
# Notes.: Regex to ignore. If This regex matches, the line is ignored.
# Values:text
#
Ignoreregex =
# Service Fail2ban Restart

Write at the end, after installing Fail2ban, please restart Fail2ban immediately, see if it can start normally, Because after we have configured the rule, we can troubleshoot if there is an issue that cannot be started. If the installation is completed with the default rules can start normally, and after the rule is configured to not start normally, please check your/var/log/directory there are no rules in the logpath= behind the file, or the path to the file is consistent with the rules. If inconsistent please modify your path in LogPath, if you do not have this file in your cache directory, set the value of the enabled item for this configuration item to False. Then restart the Fail2ban so that there is generally no mistake.