.oO  |  List directory  |  Similar  |  Print version
Current user: guest | Change | Preferences
Diff: fail2ban
 Legend:   Removed   Changed   Added 
 Ownership:  rw-rw-r-- ian linux
 Modified:  16 Aug 10, 11:49
 Modified by:  Ian Samuel (ian)
Rev.:  16 (Old)
 
 Ownership:  rw-rw-r-- ian linux
 Modified:  16 Aug 10, 11:50
 Modified by:  Ian Samuel (ian)
Rev.:  17 (Current)


+ %TITLE%

I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.

<toc>

+ Debian Installation

<code>
aptitude install python-gamin fail2ban
</code>

*/etc/fail2ban/jail.local*:

<code>
[DEFAULT]
bantime = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16

action = mail

backend = auto
</code>

+ SSH

*/etc/fail2ban/jail.local*:

<code>
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
action = shorewall[name=%(__name__)s]
sendmail-whois[name=%(__name__)s]
</code>

+ Dovecot

*/etc/fail2ban/filter.d/dovecot.conf*:

<code>
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,<HOST>\):

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
</code>

*/etc/fail2ban/jail.local*:

<code>
[pop3]
filter = dovecot
logpath = /var/log/mail.log
enabled = true
action = shorewall
mail[name=%(__name__)s]
</code>

+ Asterisk

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

<code>
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# [Apr 9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '<HOST>'

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
</code>

*/etc/fail2ban/jail.local*:

<code>
[sip]
filter = asterisk
logpath = /var/log/asterisk/messages
enabled = true
port = sip
protocol = udp
action = iptables-new[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
mail[name=%(__name__)s]
</code>
+ %TITLE%

I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.

<toc>

+ Debian Installation

<code>
aptitude install python-gamin fail2ban
</code>

*/etc/fail2ban/jail.local*:

<code>
[DEFAULT]
bantime = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16

action = mail

backend = auto
</code>

+ SSH

*/etc/fail2ban/jail.local*:

<code>
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
action = shorewall[name=%(__name__)s]
sendmail-whois[name=%(__name__)s]
</code>

+ Dovecot

*/etc/fail2ban/filter.d/dovecot.conf*:

<code>
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,<HOST>\):

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
</code>

*/etc/fail2ban/jail.local*:

<code>
[pop3]
filter = dovecot
logpath = /var/log/mail.log
enabled = true
action = shorewall
mail[name=%(__name__)s]
</code>

+ Asterisk

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

<code>
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# [Apr 9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '<HOST>'

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
</code>

*/etc/fail2ban/jail.local*:

<code>
[sip]
filter = asterisk
logpath = /var/log/asterisk/messages
enabled = true
port = sip
protocol = udp
action = iptables-new[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
mail[name=%(__name__)s]
</code>

*/etc/asterisk/logger.conf*:

<code>
[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
dateformat=%F %T
</code>

Home | Main | Linux | FreeBSD

coWiki 0.3.4 (Boron) /