Fail2Ban
Description
Fail2Ban is a very good tool if you want to protect yourself from intruders and you want to have a good inside of your architecture in terms of access. According with the official description (https://www.fail2ban.org/wiki/index.php/Main_Page)
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Explanation
– Fail2ban allows you to see, based on defined rules, who is unsuccessfully trying to access your ssh servers by counting failures.
– This is a very good indication that a malicious person is trying to brute force your ssh servers. With fail2ban you can avoid this by automatically banning the offending IP addresses for a predefined period of time.
– In this post we’ll talk about how to use fail2ban for ssh.In our example we allow 10 authentication failure for ssh. After that the source IP is banned for 1 hour (3600 seconds). In a similar way you can activate fail2ban for other services like: mysql, dovecot, apache, ftp, etc.
– In order to activate fail2ban you have to define a corresponding jail. Notification by email is added to it ( ban & send an e-mail with whois report and relevant log lines to the destemail).
Implementation
It is assumed that you are running RHEL/CENTOS distribution.
For DEBIAN like systems you have to use theirs specific commands.
Installation
yum install fail2ban -y chkconfig fail2ban on
Configuration
cd /etc/fail2ban
a) cat jail.local
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail[name=SSH, [email protected], [email protected], sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 10 bantime = 3600
b)cat jail.conf (snip)
###this is added for sending email notifications ### destmail = [email protected] sendername = fail2ban mta = sendmail protocol = tcp # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] ### this is default action - ban & send an e-mail with whois report and relevant log lines to the destemail ### action = %(action_mwl)s ### email notification actions ###
Email notifications
cat /etc/mail.rc
set smtp=your-smtp-server set [email protected]
Some Observation:
In order to allow it to work, your-smtp-server should allow relays from your internal IPs/internal domain. If your smtp server if not allowing it, please search for email relays on postfix or sendmail MTAs on Internet.
