howtos:fail2ban
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | howtos:fail2ban [02/12/2018 21:34] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== fail2ban ====== | ||
+ | Keeping up with the threads from the Internet is very difficult and time consuming. Therefore the right tools are essential to protect your system and keeping the buggyman out. The highest protection is offered by systems that are pro-active thus protecting from attacks that you not necessarily know anything about. Cutting the attackers off before they can launch mayhem on to you the better your security becomes. | ||
+ | In almost any attack, probing is the first phase, and this is where we can be pro-active. In the log files I can very easily see a malicious user/bot probing for an attack vector but when he/she/it launches the attack (fx on a 0-day vulnerability) I've lost big time, I simply wouldn' | ||
+ | |||
+ | I've found that this is where a simple tool like [[http:// | ||
+ | |||
+ | **When this is said it is of course still your responsibility to keep your system up to date and configured sensible. Not all attacks needs probing and thus fail2ban will not help you out. | ||
+ | ** | ||
+ | |||
+ | ===== Install ===== | ||
+ | |||
+ | Install fail2ban: | ||
+ | sudo apt-get install fail2ban | ||
+ | |||
+ | This will get the application on the system and you will find the configuration files in /// | ||
+ | |||
+ | You will find a file called // | ||
+ | |||
+ | The // | ||
+ | |||
+ | What you have to do is activating fail2ban only for the services you have on your system. There is no point in looking for an imap attack if that service is not running on your system. | ||
+ | |||
+ | Your can use // | ||
+ | |||
+ | You can configure default settings and overwrite them under each section specified for each service. You may need to have a more aggressive or more loose threshold depending on your services and how they are used. | ||
+ | |||
+ | There are three actions on violations: | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | |||
+ | Which action you choose is configured in the parameter " | ||
+ | |||
+ | ===== jail.local ===== | ||
+ | |||
+ | < | ||
+ | [DEFAULT] | ||
+ | |||
+ | # " | ||
+ | ignoreip = 127.0.0.1 192.168.0.0/ | ||
+ | bantime | ||
+ | maxretry = 3 | ||
+ | |||
+ | mta = sendmail | ||
+ | |||
+ | # " | ||
+ | # options are " | ||
+ | # yoh: For some reason Debian shipped python-gamin didn't work as expected | ||
+ | # This issue left ToDo, so polling is default backend for now | ||
+ | backend = polling | ||
+ | |||
+ | # | ||
+ | # Destination email address used solely for the interpolations in | ||
+ | # jail.{conf, | ||
+ | destemail = domingo | ||
+ | |||
+ | # | ||
+ | # Action shortcuts. To be used to define action parameter | ||
+ | |||
+ | # The simplest action to take: ban only | ||
+ | action_ = %(banaction)s[name=%(__name__)s, | ||
+ | |||
+ | # ban & send an e-mail with whois report to the destemail. | ||
+ | action_mw = %(banaction)s[name=%(__name__)s, | ||
+ | %(mta)s-whois[name=%(__name__)s, | ||
+ | | ||
+ | # ban & send an e-mail with whois report and relevant log lines | ||
+ | # to the destemail. | ||
+ | action_mwl = %(banaction)s[name=%(__name__)s, | ||
+ | %(mta)s-whois-lines[name=%(__name__)s, | ||
+ | |||
+ | # Choose default action. | ||
+ | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local | ||
+ | # globally (section [DEFAULT]) or per specific section | ||
+ | action = %(action_mwl)s | ||
+ | | ||
+ | |||
+ | [ssh] | ||
+ | |||
+ | enabled = true | ||
+ | port = ssh | ||
+ | filter | ||
+ | logpath | ||
+ | maxretry = 4 | ||
+ | |||
+ | |||
+ | [sshd-ddos] | ||
+ | |||
+ | enabled = true | ||
+ | port = ssh | ||
+ | filter | ||
+ | logpath | ||
+ | maxretry = 3 | ||
+ | |||
+ | |||
+ | [apache] | ||
+ | |||
+ | enabled = true | ||
+ | port = http | ||
+ | filter | ||
+ | logpath = / | ||
+ | maxretry = 3 | ||
+ | |||
+ | |||
+ | [apache-noscript] | ||
+ | |||
+ | enabled = true | ||
+ | port = http | ||
+ | filter | ||
+ | logpath = / | ||
+ | maxretry = 3 | ||
+ | |||
+ | [apache-noscript-tdd] | ||
+ | |||
+ | enabled = true | ||
+ | port = http | ||
+ | filter | ||
+ | logpath = / | ||
+ | maxretry = 3 | ||
+ | |||
+ | |||
+ | [pureftpd] | ||
+ | |||
+ | enabled = true | ||
+ | port = ftp | ||
+ | filter = pureftpd | ||
+ | logpath = / | ||
+ | maxretry = 3 | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== apache-noscript-tdd.conf ===== | ||
+ | |||
+ | < | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: Cyril Jaquier | ||
+ | # | ||
+ | # $Revision: 658 $ | ||
+ | # | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: | ||
+ | # Notes.: | ||
+ | # host must be matched by a group named " | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?::: | ||
+ | # Values: | ||
+ | # | ||
+ | failregex = [[]client < | ||
+ | |||
+ | # Option: | ||
+ | # Notes.: | ||
+ | # Values: | ||
+ | # | ||
+ | ignoreregex = .*(robots.txt|favicon.ico) | ||
+ | </ |
howtos/fail2ban.txt · Last modified: 02/12/2018 21:34 by 127.0.0.1