.oO  |  List directory  |  History  |  Similar  |  Print version
Current user: guest | Change | Preferences
Home 
Main 
   Databases 
   qmail 
   Old Braindump Pages 
Linux 
FreeBSD 

Main > fail2ban
 
rw-rw-r--   ian   linux

fail2ban

I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.

Debian Installation

aptitude install python-gamin fail2ban

/etc/fail2ban/jail.local:

[DEFAULT]
bantime  = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16

action = mail

backend = auto

SSH

/etc/fail2ban/jail.local:

[ssh]
enabled = true
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4
action = shorewall[name=%(__name__)s]
         sendmail-whois[name=%(__name__)s]

Dovecot

/etc/fail2ban/filter.d/dovecot.conf:

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,<HOST>\):

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/jail.local:

[dovecot]
enabled  = true
filter  = dovecot
logpath  = /var/log/mail.log
action = shorewall[name=%(__name__)s]
         sendmail-whois[name=%(__name__)s]

Asterisk

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# [Apr  9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '<HOST>'

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/etc/fail2ban/jail.local:

[sip]
enabled = true
filter = asterisk
logpath = /var/log/asterisk/messages
port = sip
protocol = udp
action = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
         sendmail-whois[name=%(__name__)s]

/etc/asterisk/logger.conf:

[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
dateformat=%F %T

Reference http://braindump.mrzesty.net/Main/Fail2ban

Comments: 0 New comment

Prev. SpamAssassin on Debian   FuzzyOcr for SpamAssassin on Debian Next

Home | Main | Linux | FreeBSD

coWiki 0.3.4 (Boron) /