Table of Contents

Fail2ban

I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.

<toc><ul><li><link topicref=“2”>Debian Installation</link></li><li><link topicref=“3”>SSH</link></li><li><link topicref=“4”>Dovecot</link></li><li><link topicref=“5”>Asterisk</link></li></ul></toc>

Debian Installation

aptitude install python-gamin fail2ban

<strong>/etc/fail2ban/jail.local</strong>:

[DEFAULT]
bantime  = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16

action = mail

backend = auto

SSH

<strong>/etc/fail2ban/jail.local</strong>:

[ssh]
enabled = true
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4
action = shorewall[name=%(__name__)s]
         sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]

Dovecot

<strong>/etc/fail2ban/filter.d/dovecot.conf</strong>:

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named &quot;host&quot;. The tag &quot;&lt;HOST&gt;&quot; can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,&lt;HOST&gt;\):

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

<strong>/etc/fail2ban/jail.local</strong>:

[dovecot]
enabled  = true
filter  = dovecot
logpath  = /var/log/mail.log
action = shorewall[name=%(__name__)s]
         sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]

Asterisk

<uri strref=“http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk”/>

# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named &quot;host&quot;. The tag &quot;&lt;HOST&gt;&quot; can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
# [Apr  9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '&lt;HOST&gt;'

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

<strong>/etc/fail2ban/jail.local</strong>:

[sip]
enabled = true
filter = asterisk
logpath = /var/log/asterisk/messages
port = sip
protocol = udp
action = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
         sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]

<strong>/etc/asterisk/logger.conf</strong>:

[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
dateformat=%F %T