====== fail2ban ====== Keeping up with the threads from the Internet is very difficult and time consuming. Therefore the right tools are essential to protect your system and keeping the buggyman out. The highest protection is offered by systems that are pro-active thus protecting from attacks that you not necessarily know anything about. Cutting the attackers off before they can launch mayhem on to you the better your security becomes. In almost any attack, probing is the first phase, and this is where we can be pro-active. In the log files I can very easily see a malicious user/bot probing for an attack vector but when he/she/it launches the attack (fx on a 0-day vulnerability) I've lost big time, I simply wouldn't know if my system has been compromised. I've found that this is where a simple tool like [[http://www.fail2ban.org/wiki/index.php/Main_Page|fail2ban]] becomes handy. All it does is looking into log files searching for attack patterns and if the thresholds are reached blocking out the probing IP address with iptables (on Linux). This way I don't need to know anything about security vulnerabilities because the attacker is stopped before launching anything. fail2ban is a dynamic tool which means that an IP address is only blocked for a short period of time, so when a legitimate user tries to reach the resource he/she is allowed in. **When this is said it is of course still your responsibility to keep your system up to date and configured sensible. Not all attacks needs probing and thus fail2ban will not help you out. ** ===== Install ===== Install fail2ban: sudo apt-get install fail2ban This will get the application on the system and you will find the configuration files in ///etc/fail2ban//. You will find a file called //jail.conf// and a directory called //filter.d//. jail.conf is sort of a combination of a template and default settings. What you need to do is take the parts you need and put them in a file called //jail.local//. This way you wouldn't loose configuration when upgrading fail2ban. The //filter.d// directory contains search filters that we need to identify attack patterns in the log files. Out-of-the-box fail2ban contains pretty much what I need. I have however added one more (apache-noscript-tdd) to counter generic probing which seem to be very common in my log files. What you have to do is activating fail2ban only for the services you have on your system. There is no point in looking for an imap attack if that service is not running on your system. Your can use //fail.conf// as a template and build a jail.local with what you need to look for. //jail.local// supersedes //jail.conf//. Settings represented in both files, only the settings in //jail.local// will count. You can configure default settings and overwrite them under each section specified for each service. You may need to have a more aggressive or more loose threshold depending on your services and how they are used. There are three actions on violations: "action_" = ban only "action_mw" = ban & send an e-mail with whois report to the destemail "action_mwl" = ban & send an e-mail with whois report and relevant log lines Which action you choose is configured in the parameter "action". destemail is the recipient of the alerts. ===== jail.local ===== [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.0.0/24 bantime = 600 maxretry = 3 mta = sendmail # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = domingo # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mwl)s [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4 [sshd-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 3 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error_log maxretry = 3 [apache-noscript] enabled = true port = http filter = apache-noscript logpath = /var/log/apache*/*error_log maxretry = 3 [apache-noscript-tdd] enabled = true port = http filter = apache-noscript-tdd logpath = /var/log/apache*/*error_log maxretry = 3 [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/pure-ftpd/pure-ftpd.log maxretry = 3 ===== apache-noscript-tdd.conf ===== # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 658 $ # [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # failregex = [[]client []] (File does not exist|script not found or unable to stat): # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = .*(robots.txt|favicon.ico)