I. INTRODUCTION Fail2ban can monitor your system logs, and then match the log error information (regular expression matching) to perform the corresponding blocking action (usually firewall ), for example, if someone is testing your SSH, SMTP, and FTP passwords, fail2ban will call the firewall to block this IP address as long as they reach your preset number of times and send an e-mail to the system administrator, is a very practical and powerful automatic IP shielding tool! Fail2Ban
I. INTRODUCTION
Fail2ban can monitor your system logs, and then match the log error information (regular expression matching) to perform the corresponding blocking action (usually firewall ), for example, if someone is testing your SSH, SMTP, and FTP passwords, fail2ban will call the firewall to block this IP address as long as they reach your preset number of times and send an e-mail to the system administrator, is a very practical and powerful automatic IP shielding tool!
Fail2Ban scans log files like/var/log/pwdfail and bans IP that makes too login password failures. it updates firewall rules to reject the IP address. these rules can be defined by the user. fail2Ban can read multiple log files such as sshd or Apache web server ones.
More documentation, FAQ, HOWTOs are available on the project website: http://www.fail2ban.org
Features and functions of Fail2ban
1. support a large number of services. Such as sshd, apache, qmail, proftpd, and sasl.
2. multiple actions are supported. Such as iptables, tcp-wrapper, shorewall (iptables third-party tool), mail notifications, and so on.
3. wildcards are supported in the logpath option.
4. Gamin support is required (note: Gamin is a service tool used to monitor files and directories for changes ).
5. install python, iptables, tcp-wrapper, shorewall, and Gamin. To send an email, you must install postfix/sendmail.
II. system environment
System platform: openSUSE 11.4 (i586)
Fail2ban version: Fail2Ban v0.8.4
Python version: python-2.7-8.2.i586
III. Installation
David-Linux :~ # Rpm-ivh fail2ban-0.8.4-11.14.1.noarch.rpm
Source code installation reference http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Installation
IV. configuration
Description of the main documents:
David-Linux :~ # Rpm-ql fail2ban/etc/fail2ban/action. d # action folder, containing the default file. Iptables, mail, and other action configurations/etc/fail2ban/fail2ban. conf # defines the fai2ban log level, log location, and sock file location/etc/fail2ban/filter. d # The condition folder contains the default file. Filter key log Content Settings/etc/fail2ban/jail. conf # Main configuration file, modular. Mainly set the ban action enabled service and action threshold/etc/rc. d/init. d/fail2ban # Start the script file
The following describes the main configuration files.
/Etc/fail2ban/fail2ban. conf
This file defines the fai2ban log level, log location, and sock file location.
David-Linux:/etc/fail2ban # cat fail2ban.conf# Fail2Ban configuration file## Author: Cyril Jaquier## $Revision: 629 $#[Definition]# Option: loglevel# Notes.: Set the log level output.# 1 = ERROR# 2 = WARN# 3 = INFO# 4 = DEBUG# Values: NUM Default: 3# loglevel = 3 # Option: logtarget# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.# Only one log target can be specified.# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log# logtarget = /var/log/fail2ban.log # Option: socket# Notes.: Set the socket file. This is used to communicate with the daemon. Do# not remove this file when Fail2ban runs. It will not be possible to# communicate with the server afterwards.# Values: FILE Default: /var/run/fail2ban/fail2ban.sock# socket = /var/run/fail2ban/fail2ban.sock
Each setting is described in detail in this file.
/Etc/fail2ban/jail. conf
This is the main configuration file of fail2ban, which can be understood as a prison. The following describes how to set this file:
David-Linux:/etc/fail2ban # cat jail. conf # Fail2Ban configuration file # Author: Cyril Jaquier # $ Revision: 747 $ # The DEFAULT allows a global definition of the options. they can be override # in each jail afterwards. [DEFAULT] # global settings # "ignoreip" can be an IP address, a CIDR mask or a DNS host. fail2ban will not # ban a host which matches an address in this list. several addresses can be # defined usi Ng space separator. ignoreip = 127.0.0.1 # ignore the IP address. the IP address in this list will not be blocked # "bantime" is the number of seconds that a host is banned. bantime = 600 # shielding time, in seconds # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # monitoring time. If the number of retries exceeds the limit during this period, fail2ban is activated to take the corresponding action. (It can also be understood that ban will be dropped more than the specified number of times in this time period .) # "Maxretry" is the number of failures before a host get banned. maxretry = 3 # maximum number of attempts # "backend" specifies the backend used to get files modification. available # options are "gamin", "polling" and "auto ". this option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another ). # gamin: requires Gamin (a file alteration monitor) to be installed. if Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # log modification detection mechanism (gamin, polling, and auto) # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. # The following are some sub-segment settings, but the priority here will be higher than the global settings That is to say, when there is a conflict between the settings and the global settings, this section will prevail. If not, global settings are called. [Ssh-iptables] # equivalent to label description enabled = true # whether to activate this option (true/false) filter = sshd # filter rule filter name, corresponding to filter. sshd in the d directory. confaction = iptables [name = SSH, port = ssh, protocol = tcp] # parameters related to the action. If it is not the default port, remember to change the service to the port sendmail-whois [name = SSH, dest = you@mail.com, sender = fail2ban@mail.com] # send mail dest is the target, sender is the sender (remember to have the SMTP service) # Note: This action is similar to that of filter, and it calls the corresponding configuration file (action configuration file action of the action. ptables under d. conf and sendmail-whois.conf) logpath =/var/log/messages # log record location maxretry = 3 # maximum number of attempts, this will overwrite the global maxretry settings
# The general meaning of this setting is: fail2ban will follow your filter rules (filter = sshd is filter. d/sshd. conf) to view the corresponding log file (logpath =/var/log/messages), and then at findtime = 600 "10 Minutes" (this time is based on the Global) if maxretry = 3 "3 Times meet the condition" is reached, the corresponding action (ptables. conf and sendmail-whois.conf), and the limited time is bantime = 600 "10 minutes ".
# The settings of other sub-segments are similar, so you can modify them as a reference.
David-Linux:/etc/fail2ban #
5. fail2ban commands
1. start/close fail2ban
Service fail2ban start/stop
2. view the status
Service fail2ban status
3. log files
/Var/log/fail2ban. log
4. View iptables content
Iptables-L-n
VI. test
Note: If fail2ban is restarted, all rules in iptables will be cleared.
After carefully reading the filtering rules and action content, if you find that you want to have a good time with fail2ban, the key is to analyze the log, then write the filtering rules based on the log, and then write the iptables action, these will soon be practiced.
Finally provide a fail2ban Chinese manual http://share.opsers.org/viewfile.php? File_id = 131