How to install and configure fail2ban in centos

How to install and configure fail2ban in centos
I. Introduction to fail2ban

Fail2ban can monitor your system logs, and then match the log error information (Regular Expression matching) to perform the corresponding blocking action (usually firewall ), in addition, you can send an email to notify the system administrator. Is it good, practical, and powerful!

Ii. Briefly introduce the features and features of fail2ban

1. support a large number of services. Such as sshd, apache, qmail, proftpd, sasl, etc.
2. Multiple actions are supported. Such as iptables, tcp-wrapper, shorewall (iptables third-party tool), mail notifications, and so on.
3. Support wildcards in the logpath Option
4. Gamin support is required (Note: Gamin is a service tool used to monitor whether files and directories are changed)
5. Install python, iptables, tcp-wrapper, shorewall, and Gamin. To send an email, you must install postfix/sendmail.

Iii. fail2ban installation and configuration operation instances

1: Install epel update source: http://fedoraproject.org/wiki/EPEL/zh-cn

# Yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban
Or
# Yum install gamin-python-inotify python-ctypes
# Wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# Rpm-ivh fail2ban-0.8.11-2.el6.noarch.rpm
Or
# Yum install gamin-python-inotify python-ctypes
# Wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# Rpm-ivh fail2ban-0.8.4-29.el5.noarch.rpm

2: Install the source code package

# Wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# Tar-xzvf fail2ban-0.9.0.tar.gz
# Cd
/Etc/fail2ban/action. d # Action folder, containing default files. Iptables, mail, and other action configurations/etc/fail2ban/fail2ban. conf # Defines the fai2ban Log Level, log location, and sock File Location/etc/fail2ban/filter. d # The condition folder contains the default file. Filter key log content settings/etc/fail2ban/jail. conf # Main configuration file, modular. Mainly sets the service and action threshold for enabling ban actions/etc/rc. d/init. d/fail2ban # Start the script file 3. vi/etc/fail2ban/fail2ban. conf [Definition] Loglevel = 3 Logtarget = SYSLOG # What we need to do is to change this line to/var/log/fail2ban. log to easily record log information. Socket =/var/run/fail2ban/fail2ban. sock4. vi/etc/fail2ban/jail. conf

[DEFAULT]# Globally set ignoreip = 127.0.0.1# List of ignored IP addresses, unrestricted bantime = 600# Shielding time, in seconds findtime = 600# Maxretry = 3 will be banned if the number of times exceeds the limit in this time period# Maximum number of attempts backend = auto# Log modification detection mechanism (gamin, polling, and auto) [sshd]# Set a single service check, such as setting bantime, findtime, maxretry, and global conflicts. The service priority is greater than the global setting. Enabled = true# Whether to activate this option (true/false) filter = sshd# Name of the filter rule, corresponding to the filter. sshd in the d directory. confaction = iptables [name = SSH, port = ssh, protocol = tcp] # parameters related to the action, corresponding to action. d/iptables. conf file logpath =/var/log/secure# Detected Log File pathbantime = 3600 findtime = 300 maxretry = 3

Servicefail2ban start service
4. unbind the IP address bound to fail2ban Query limit list # iptables-L -- line-numbersChainfail2ban-SSH (1 references) num Target Prot opt source Destination1 DROP All -- 118.152.158.61.ha.cnc Anywhere2 RETURN All -- Anywhere Remove restrictions from anywhere # Iptables-D Fail2ban-SSH 1
We mainly edit the configuration file jail. conf. Do not worry about it.

# Vi/etc/fail2ban. conf

SSH attack protection rules

[Ssh-iptables]

Enabled = true
Filter = sshd
Action = iptables [name = SSH, port = ssh, protocol = tcp]
Sendmail-whois [name = SSH, dest = root, sender = fail2ban@example.com, sendername = "Fail2Ban"]
Logpath =/var/log/secure
Maxretry = 5

[Ssh-ddos]
Enabled = true
Filter = sshd-ddos
Action = iptables [name = ssh-ddos, port = ssh, sftp protocol = tcp, udp]
Logpath =/var/log/messages
Maxretry = 2

[Osx-ssh-ipfw]

Enabled = true
Filter = sshd
Action = osx-ipfw
Logpath =/var/log/secure. log
Maxretry = 5

[Ssh-apt]

Enabled = true
Filter = sshd
Action = filters [name = SSH]
Logpath =/var/log/secure
Maxretry = 5

[Osx-ssh-afctl]

Enabled = true
Filter = sshd
Action = osx-afctl [banktime = 600]
Logpath =/var/log/secure. log
Maxretry = 5

[Selinux-ssh]
Enabled = true
Filter = selinux-ssh
Action = iptables [name = SELINUX-SSH, port = ssh, protocol = tcp]
Logpath =/var/log/audit. log
Maxretry = 5

Proftp attack protection rules

[Proftpd-iptables]

Enabled = true
Filter = proftpd
Action = iptables [name = ProFTPD, port = ftp, protocol = tcp]
Sendmail-whois [name = ProFTPD, dest = you@example.com]
Logpath =/var/log/proftpd. log
Maxretry = 6

Email attack protection rules

[Sasl-iptables]

Enabled = true
Filter = postfix-sasl
Backend = polling
Action = iptables [name = sasl, port = smtp, protocol = tcp]
Sendmail-whois [name = sasl, dest = you@example.com]
Logpath =/var/log/mail. log

[Dovecot]

Enabled = true
Filter = dovecot
Action = iptables-multiport [name = dovecot, port = "pop3, pop3s, imap, imaps, submission, smtps, sieve", protocol = tcp]
Logpath =/var/log/mail. log

[Dovecot-auth]

Enabled = true
Filter = dovecot
Action = iptables-multiport [name = dovecot-auth, port = "pop3, pop3s, imap, imaps, submission, smtps, sieve", protocol = tcp]
Logpath =/var/log/secure

[Perdition]

Enabled = true
Filter = perdition
Action = iptables-multiport [name = perdition, port = "110,143,993,995"]
Logpath =/var/log/maillog

[Uwimap-auth]

Enabled = true
Filter = uwimap-auth
Action = iptables-multiport [name = uwimap-auth, port = "110,143,993,995"]
Logpath =/var/log/maillog

Apache attack protection rules

[Apache-tcpwrapper]

Enabled = true
Filter = apache-auth
Action = hostsdeny
Logpath =/var/log/httpd/error_log
Maxretry = 6

[Apache-badbots]

Enabled = true
Filter = apache-badbots
Action = iptables-multiport [name = BadBots, port = "http, https"]
Sendmail-buffered [name = BadBots, lines = 5, dest = you@example.com]
Logpath =/var/log/httpd/access_log
Banktime = 172800
Maxretry = 1

[Apache-shorewall]

Enabled = true
Filter = apache-noscript
Action = shorewall
Sendmail [name = Postfix, dest = you@example.com]
Logpath =/var/log/httpd/error_log

Nginx attack protection rules

[Nginx-http-auth]

Enabled = true
Filter = nginx-http-auth
Action = iptables-multiport [name = nginx-http-auth, port = "80,443"]
Logpath =/var/log/nginx/error. log

Lighttpd anti-rule

[Suhosin]

Enabled = true
Filter = suhosin
Action = iptables-multiport [name = suhosin, port = "http, https"]
# Adapt the following two items as needed
Logpath =/var/log/lighttpd/error. log
Maxretry = 2

[Lighttpd-auth]

Enabled = true
Filter = lighttpd-auth
Action = iptables-multiport [name = lighttpd-auth, port = "http, https"]
# Adapt the following two items as needed
Logpath =/var/log/lighttpd/error. log
Maxretry = 2

Vsftpd attack protection rules

[Vsftpd-notification]

Enabled = true
Filter = vsftpd
Action = sendmail-whais [name = VSFTPD, dest = you@example.com]
Logpath =/var/log/vsftpd. log
Maxretry = 5
Banktime = 1800

[Vsftpd-iptables]

Enabled = true
Filter = vsftpd
Action = iptables [name = VSFTPD, port = ftp, protocol = tcp]
Sendmail-whois [name = VSFTPD, dest = you@example.com]
Logpath =/var/log/vsftpd. log
Maxretry = 5
Banktime = 1800

Pure-ftpd attack protection rules

[Pure-ftpd]
Enabled = true
Filter = pure-ftpd
Action = iptables [name = pure-ftpd, port = ftp, protocol = tcp]
Logpath =/var/log/pureftpd. log
Maxretry = 2
Banktime = 86400
Mysql attack protection rules

[Mysqld-iptables]

Enabled = true
Filter = mysqld-auth
Action = iptables [name = mysql, port = 3306, protocol = tcp]
Sendmail-whois [name = MySQL, dest = root, sender = fail2ban@example.com]
Logpath =/var/log/mysqld. log
Maxretry = 5

Apache phpmyadmin attack protection rules
[Apache-phpmyadmin]
Enabled = true
Filter = apache-phpmyadmin
Action = iptables [name = phpmyadmin, port = http, https protocol = tcp]
Logpath =/var/log/httpd/error_log
Maxretry = 3
#/Etc/fail2ban/filter. d/apache-phpmyadmin.conf
You can create a apache-phpmyadmin.conf file by pasting the following content into your apache-phpmyadmin.conf.

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#

[Definition]

Docroot =/var/www
Badadmin = PMA | phpmyadmin | myadmin | mysql | mysqladmin | sqladmin | mypma | admin | xampp | mysqldb | mydb | db | pmadb | phpmyadmin1 | phpmyadmin2

# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
#
Failregex = [[] client [] File does not exist: % (docroot) s /(? : % (Badadmin) s)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
Ignoreregex =
# Service fail2ban restart

At the end of the article, restart fail2ban immediately after fail2ban is installed to see if it can be started normally. If the problem cannot be started after we configure the rules, we can troubleshoot it. if the default rule can be started normally after installation, but the rule cannot be started normally after configuration, check whether there is a file named "logpath =" next to the rule in your/var/log/directory, or whether the path of the file is consistent with that in the rule. if they are inconsistent, modify your path in the logpath item. If this file is not found in your cache directory, set the value of the enabled project of this configuration item to false. then restart fail2ban, so there will be no errors.