.oO  |  List directory  |  History  |  Similar  |  Print version
Home 
Main 
   Databases 
   qmail 
   Old Braindump Pages 
Linux 
FreeBSD 

Main > fail2ban

 
rw-rw-r--   ian   linux

fail2ban

I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.

/etc/fail2ban/jail.local:

[DEFAULT]
bantime  = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16

action = mail

SSH

/etc/fail2ban/jail.local:

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
action = iptables-new[name=%(__name__)s]
         mail[name=%(__name__)s]

Dovecot

/etc/fail2ban/filter.d/dovecot.conf:

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,<HOST>\):

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/jail.local:

[pop3]
filter  = dovecot
logpath  = /var/log/mail.log
enabled  = true
action = shorewall
         mail[name=%(__name__)s]

Asterisk

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# [Apr  9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '<HOST>'

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

# Option:  timeregex
# Values:  [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
#
timeregex = \S{3} .\d{1} \d{2}:\d{2}:\d{2}

# Option:  timepattern
# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# Values:  TEXT  Default:  %%a %%b %%d %%H:%%M:%%S %%Y
#
timepattern = %%b %%d %%H:%%M:%%S

/etc/fail2ban/jail.local:

[sip]
filter = asterisk
logpath = /var/log/asterisk/messages
enabled = true
port = sip
protocol = udp
action = iptables-new[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
         mail[name=%(__name__)s]


Reference http://braindump.mrzesty.net/Main/Fail2ban

Comments: 0 New comment

Prev. SpamAssassin on Debian   FuzzyOcr for SpamAssassin on Debian Next


Home | Main | Linux | FreeBSD