Fail2ban on Ubuntu
My Notes Only taken from various sources. There are other much more complete guides for Fail2ban/Ubuntu available.
Install Fail2ban on Ubunutu
sudo apt-get install fail2ban
filter definitions located in /etc/fail2ban/filter.d
action definitions located in /etc/fail2ban/action.d
The following is a minimal setup.
Configure Fail2ban
sudo vi /etc/fail2ban/jail.conf
Configuration for jail.conf
destemail = you@example.com # Email of where alerts should be sent to
ignoreip = 127.0.0.1 0.0.0.0 # Your IPs that should not be jailed
findtime = 3600 # add this line – timespan to watch an IP / attacker
bantime = 604800 # jail time for an IP in seconds = 1 week
maxretry = 3
action = %(action_mw)s
sudo service fail2ban restart
or
sudo /etc/init.d/fail2ban restart
tail -f /var/log/auth.log -f /var/log/fail2ban.log
Add the following option to /etc/conf.d/fail2ban to prevent socket problem
FAIL2BAN_OPTIONS=”-x”
The -x option will force fail2ban to overwrite the old socket
sudo fail2ban-client [stop]
Achtung! The documentation does not mention that all commands must be run as root (sudo) – you will get error messages with no answers otherwise
start starts the server and the jails reload reloads the configuration stop stops all jails and terminate the server status gets the current status of the server ping tests if the server is alive
sudo fail2ban-client -i
Options:
-c <DIR> configuration directory
-s <FILE> socket path
-d dump configuration. For debugging
-i interactive mode
-v increase verbosity
-q decrease verbosity
-x force execution of the server (remove socket file)
-h, –help display this help message
-V, –version print the version
Full list of Fail2ban Commands
http://www.fail2ban.org/wiki/index.php/Commands
Fail2ban Tools
My compilation of the most excellent The Art of Web
iptables -L
Test a filter against results
syntax
fail2ban-regex
example
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
Montior Fail2ban
iptables -vnL –line-numbers
watch -d ‘iptables -vnL –line-numbers’
fail2ban-client status ssh
Report Fail2Ban
awk ‘($(NF-1) = /Ban/){print $NF}’ /var/log/fail2ban.log | sort | uniq -c | sort -n
zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $NF}’ | sort | uniq -c
awk ‘($(NF-1) = /Ban/){print $NF,”(“$NF”)”}’ /var/log/fail2ban.log | sort | logresolve | uniq -c | sort -n
grep “Ban ” /var/log/fail2ban.log | awk -F[\ \:] ‘{print $10,$8}’ | sort | uniq -c | sort -n
grep “Ban ” /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk ‘{print $NF}’ | sort | awk ‘{print $1,”(“$1″)”}’ | logresolve | uniq -c | sort -n
zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $5,$1}’ | sort | uniq -c
Ban using iptables
Permanent Ban IPs Fail2ban – IPTables
iptables -I INPUT -p tcp -s XXX.XXX.XXX.XXX/XX –dport ssh -j REJECT –reject-with tcp-reset
iptables -I INPUT -p tcp -s XXX.XXX.XXX.XXX –dport http -j REJECT
iptables -I INPUT -p tcp -s XXX.XXX.XXX.XXX/XX –dport smtp -j REJECT –reject-with tcp-reset
iptables -I INPUT -p tcp -s XXX.XXX.XXX.XXX –dport ftp -j DROP
When you reboot your iptables configuration disappears. To save, use:
iptables-save
iptables-restore
Save your iptable setting to a file:
sudo sh -c “iptables-save > /etc/iptables.rules”
iptable Tutorial
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html