# tar -xjvf fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install
Autostart in RedHat,CentOS,Fedora
# cp files/redhat-initd /etc/init.d/fail2ban
# chkconfig –-add fail2ban
# chkconfig fail2ban on
# service fail2ban start
Copy default conf to jail.local which will override jail.conf, the default conf
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
##########sampleconf##########
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
ignoreip = 203.82.1.1/24 x.x.x.x
# "bantime" is the number of seconds that a host is banned.
bantime = 86400
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=yourmail@mail.com, sender=fail2ban@web.com]
logpath = /var/log/secure
maxretry = 3
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=yourmail@mail.com sender=fail2ban@web.com]
logpath = /var/log/secure
maxretry = 6
# This jail forces the backend to "polling".
#####endsample####
#replace the logpath with the proper path for other distro
# /etc/init.d/fail2ban restart
or,
# service fail2ban restart
And check your iptables:
# iptables -L
If you want to unblock someone just do:
# iptables -D fail2ban-ssh 1
Show failed SSH logins by date:
# cat /var/log/secure | grep ‘Failed password’ | sort | uniq -c
#testing ssh filter
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
If your fail2ban seem to not updating the iptables, please check the fail2ban log. If you received below error, you might have old version of iptables and you need to tweak the fail2ban iptables action config.
fail2ban.action [32091]: ERROR iptables -w -N f2b- iptables -w -I INPUT -p tcp -m multiport --dports 0:65535 -j f2b- -- stderr: "iptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\n"
reference: https://serverfault.com/questions/730675/fail2ban-action-error-iptables-w-n-f2b-jail-name
Open this config file /etc/fail2ban/action.d/iptables-common.conf , and comment this line:
lockingopt = -w#iptables = iptables
extra reading: http://www.fail2ban.org/wiki/index.php/Main_Page
No comments:
Post a Comment