This page looks plain and unstyled because you're using a non-standard compliant browser. To see it in its best form, please upgrade to a browser that supports web standards. It's free and painless.

Blog About Dedicated Servers

« | »

Using fail2ban to ban abusive IP's for SSH and Apache

Luigi Ramone | 15 December, 2005 21:24

How to automatically ban abusive ip's using fail2ban

Originally from Ensim 4.0; similar steps had to be taken after the upgrade to 4.0.2; I would assume the same follows until python 2.3 is included [it may already be; corrections welcome].

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.



http://fail2ban.sourceforge.net/

RPM version can be obtained from here;

http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

For those of you / us who do not have python2.3; it is required.
You can snag an rpm for your system here:

http://www.python.org/2.3.5/rpms.html
I used the following version for Red Hat EL3.

python2.3-2.3.5-4pydotorg.i386.rpm

Python will require db4. The following url has satisfactory versions for different systems.

http://rpm.pbone.net/index.php3?sta...h=db4&srodzaj=3
I used the following version for Red Hat EL3.

db4-4.2.52-6.i386.rpm

# The following would then be performed as root

1) cd /root; mkdir fail2ban

2) do you have python 2.3?
'which python' or if you have tab completion enabled type in 'pyth' and hit tab two or three times, it should pop up as 'python2.3'.

3) wget http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

4) rpm -i fail2ban-0.6.0-ljik.noarch.rpm

5) nano -w /etc/fail2ban.conf

6) change the following items

----------------------------

[DEFAULT]
# Option: background
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
# Values: [true | false] Default: false
#
background = true

----------------------------

change :: background = true
# This is so we can start it as a service when the machine comes up

6a) You can also have email sent to you by changing

----------------------------

[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = true

----------------------------

change :: enabled = true
And then inputting an email address below. Most of the configuration is dead simple for a machine you haven't change the logging facilities on.

You may also wish to add this to the end of the failregex.

|Did not receive identification

----------------------------

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user|Did not receive identification

----------------------------

7) Start the service

----------------------------

# service fail2ban start

----------------------------

8) Make sure it comes up with the system

----------------------------

# chkconfig --level 2345 fail2ban on

----------------------------

9) Test it from a spare ip (if you have one, if not the ban is lifted after the time set in the conf file [600 seconds standard]).

9a) Use screen to 'tail -f /var/log/fail2ban.log'
9b) Use bad logins from an untrusted ip to test for actual banning, email output.
9c) If this fails, use the debug option in /etc/fail2ban.conf

10) Enjoy not one, but two less headaches as apache / ssh scanners, spammers and crackers are locked out of your box. With out too much work you could append a script that would either dump the logs and make repeat offenders banned permenantly, or roll some other solution for your own needs up. Enjoy, and please post any corrections.

Apache , SSH , Ensim :: Comment (0) :: Permalink :: Trackbacks (2)

Add comment

Topic

Text

Your name

Your email address (if any)

Your personal page (if any)


authimage




Powered by Boonic, Bloogo & pLog
This Blog does not have any affiliation nor relation with the mentioned companies. All the logotipos, trade names and images are property of the companies that registered them.