Install Fail2ban on Centos

Source: Internet
Author: User
I. INTRODUCTION Fail2ban can monitor your system logs, and then match the log error information (regular expression matching) to perform the corresponding blocking action (usually firewall ), for example, if someone is testing your SSH, SMTP, and FTP passwords, fail2ban will call the firewall to block this IP address as long as they reach your preset number of times and send an e-mail to the system administrator, is a very practical and powerful automatic IP shielding tool! Fail2Ban

I. INTRODUCTION

Fail2ban can monitor your system logs, and then match the log error information (regular expression matching) to perform the corresponding blocking action (usually firewall ), for example, if someone is testing your SSH, SMTP, and FTP passwords, fail2ban will call the firewall to block this IP address as long as they reach your preset number of times and send an e-mail to the system administrator, is a very practical and powerful automatic IP shielding tool!

Fail2Ban scans log files like/var/log/pwdfail and bans IP that makes too login password failures. it updates firewall rules to reject the IP address. these rules can be defined by the user. fail2Ban can read multiple log files such as sshd or Apache web server ones.
More documentation, FAQ, HOWTOs are available on the project website: http://www.fail2ban.org

Features and functions of Fail2ban

1. support a large number of services. Such as sshd, apache, qmail, proftpd, and sasl.
2. multiple actions are supported. Such as iptables, tcp-wrapper, shorewall (iptables third-party tool), mail notifications, and so on.
3. wildcards are supported in the logpath option.
4. Gamin support is required (note: Gamin is a service tool used to monitor files and directories for changes ).
5. install python, iptables, tcp-wrapper, shorewall, and Gamin. To send an email, you must install postfix/sendmail.

II. system environment

System platform: openSUSE 11.4 (i586)

Fail2ban version: Fail2Ban v0.8.4

Python version: python-2.7-8.2.i586

III. Installation

David-Linux :~ # Rpm-ivh fail2ban-0.8.4-11.14.1.noarch.rpm

Source code installation reference http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Installation

IV. configuration

Description of the main documents:

David-Linux :~ # Rpm-ql fail2ban/etc/fail2ban/action. d # action folder, containing the default file. Iptables, mail, and other action configurations/etc/fail2ban/fail2ban. conf # defines the fai2ban log level, log location, and sock file location/etc/fail2ban/filter. d # The condition folder contains the default file. Filter key log Content Settings/etc/fail2ban/jail. conf # Main configuration file, modular. Mainly set the ban action enabled service and action threshold/etc/rc. d/init. d/fail2ban # Start the script file

 

The following describes the main configuration files.

/Etc/fail2ban/fail2ban. conf

This file defines the fai2ban log level, log location, and sock file location.

David-Linux:/etc/fail2ban # cat fail2ban.conf# Fail2Ban configuration file## Author: Cyril Jaquier## $Revision: 629 $#[Definition]# Option:  loglevel# Notes.:  Set the log level output.#          1 = ERROR#          2 = WARN#          3 = INFO#          4 = DEBUG# Values:  NUM  Default:  3# loglevel = 3 # Option:  logtarget# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.#          Only one log target can be specified.# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log# logtarget = /var/log/fail2ban.log # Option: socket# Notes.: Set the socket file. This is used to communicate with the daemon. Do#         not remove this file when Fail2ban runs. It will not be possible to#         communicate with the server afterwards.# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock# socket = /var/run/fail2ban/fail2ban.sock

 

Each setting is described in detail in this file.

/Etc/fail2ban/jail. conf

This is the main configuration file of fail2ban, which can be understood as a prison. The following describes how to set this file:

 

David-Linux:/etc/fail2ban # cat jail. conf # Fail2Ban configuration file # Author: Cyril Jaquier # $ Revision: 747 $ # The DEFAULT allows a global definition of the options. they can be override # in each jail afterwards. [DEFAULT] # global settings # "ignoreip" can be an IP address, a CIDR mask or a DNS host. fail2ban will not # ban a host which matches an address in this list. several addresses can be # defined usi Ng space separator. ignoreip = 127.0.0.1 # ignore the IP address. the IP address in this list will not be blocked # "bantime" is the number of seconds that a host is banned. bantime = 600 # shielding time, in seconds # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # monitoring time. If the number of retries exceeds the limit during this period, fail2ban is activated to take the corresponding action. (It can also be understood that ban will be dropped more than the specified number of times in this time period .) # "Maxretry" is the number of failures before a host get banned. maxretry = 3 # maximum number of attempts # "backend" specifies the backend used to get files modification. available # options are "gamin", "polling" and "auto ". this option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another ). # gamin: requires Gamin (a file alteration monitor) to be installed. if Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # log modification detection mechanism (gamin, polling, and auto) # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. # The following are some sub-segment settings, but the priority here will be higher than the global settings That is to say, when there is a conflict between the settings and the global settings, this section will prevail. If not, global settings are called. [Ssh-iptables] # equivalent to label description enabled = true # whether to activate this option (true/false) filter = sshd # filter rule filter name, corresponding to filter. sshd in the d directory. confaction = iptables [name = SSH, port = ssh, protocol = tcp] # parameters related to the action. If it is not the default port, remember to change the service to the port sendmail-whois [name = SSH, dest = you@mail.com, sender = fail2ban@mail.com] # send mail dest is the target, sender is the sender (remember to have the SMTP service) # Note: This action is similar to that of filter, and it calls the corresponding configuration file (action configuration file action of the action. ptables under d. conf and sendmail-whois.conf) logpath =/var/log/messages # log record location maxretry = 3 # maximum number of attempts, this will overwrite the global maxretry settings

# The general meaning of this setting is: fail2ban will follow your filter rules (filter = sshd is filter. d/sshd. conf) to view the corresponding log file (logpath =/var/log/messages), and then at findtime = 600 "10 Minutes" (this time is based on the Global) if maxretry = 3 "3 Times meet the condition" is reached, the corresponding action (ptables. conf and sendmail-whois.conf), and the limited time is bantime = 600 "10 minutes ".


# The settings of other sub-segments are similar, so you can modify them as a reference.

David-Linux:/etc/fail2ban # 

5. fail2ban commands

1. start/close fail2ban

Service fail2ban start/stop

2. view the status

Service fail2ban status

3. log files

/Var/log/fail2ban. log

4. View iptables content

Iptables-L-n

VI. test

 

Note: If fail2ban is restarted, all rules in iptables will be cleared.

After carefully reading the filtering rules and action content, if you find that you want to have a good time with fail2ban, the key is to analyze the log, then write the filtering rules based on the log, and then write the iptables action, these will soon be practiced.

Finally provide a fail2ban Chinese manual http://share.opsers.org/viewfile.php? File_id = 131

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.