Category Archives: Security

Security: fail2ban

Leave a reply

Fail2ban is very useful application for you, if you are managing security of server, or you are running your own vps or physical server. Fail2ban scan log files created on system and has ability to ban ips which found malicious bassed on configuration rules. We can use it for monitoring various system services logs like Apache, SSH and blog the ips which are trying to breach the system’s security.

fail2ban-medium
Step 1: Install EPEL RPM Repository

CentOS/RHEL 6, 64 Bit x86_64):

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Fail2ban is available in EPEL repository, So make sure you have installed EPEL repository in your system or you can use these instructions to install it.
Step 2: Install Fail2ban Package

After installing required repository use yum package manager to install Fail2ban rpm package using following command.

# yum install fail2ban

Step 3: Setup Fail2ban Default Configuration

Fail2ban provides its own security configuration file /etc/fail2ban/jail.conf, but we need to create a copy of this file as jail.local.

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we need to make necessory changes in jail.local file to create ban rules. Edit this file in your favorite editor and make changes in [DEFAULT] section.

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will use as always allowed, 
# so add your system ip to protect your ip from banned.
ignoreip = 127.0.0.1/8 192.168.1.0/24 11.22.33.44

# "bantime" is the total number of seconds that a host is banned (3600sec = 1 Hour ).
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below 
# settings, 2 minutes
findtime  = 120

# "maxretry" is the number of failures before a host get banned.
maxretry = 3 

Step 4: Protect SSH/SFTP

After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3

Step 5: Protect FTP (vsFTPd) Server

Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.

[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=21, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

Step 6: Restart Fail2ban Service

After making all the changes save your file and restart Fail2ban service using following command.

# service fail2ban restart
# chkconfig fail2ban on

Step 7: Protect WordPress

Install WP Fail2Ban plugin in WordPress.
On Centos 7 this write messages in /va/log/messages
/var/log/messages:Dec 4 03:04:12 one wordpress(site.com)[5728]: Authentication failure for from 194.187.249.59
/var/log/messages:Dec 4 03:14:11 one wordpress(site.com)[1875]: Authentication failure for from 93.115.7.70

Edit jail.local

[#Wordpress

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 1
port = http,https

[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
maxretry = 3
port = http,https

Monitoring:


# iptables -L | grep unreachable
REJECT     all  --  219.111-30-62.static.virginmediabusiness.co.uk  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  219.111-30-62.static.virginmediabusiness.co.uk  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  218.92.1.144         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  203.160.174.214      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  175.6.5.52           anywhere             reject-with icmp-port-unreachable

# tail /var/log/fail2ban.log
2018-12-04 05:42:59,787 fail2ban.jail           [20403]: INFO    Jail 'postfix-sasl' started
2018-12-04 05:42:59,792 fail2ban.jail           [20403]: INFO    Jail 'wordpress-hard' started
2018-12-04 05:42:59,799 fail2ban.jail           [20403]: INFO    Jail 'wordpress-soft' started
2018-12-04 05:43:01,282 fail2ban.actions        [20403]: NOTICE  [dovecot] Ban 62.30.111.219
2018-12-04 05:43:01,408 fail2ban.actions        [20403]: NOTICE  [postfix-sasl] Ban 62.30.111.219
2018-12-04 05:43:01,664 fail2ban.actions        [20403]: NOTICE  [sshd] Ban 203.160.174.214
2018-12-04 05:43:02,332 fail2ban.actions        [20403]: NOTICE  [sshd] Ban 218.92.1.144
2018-12-04 05:43:02,570 fail2ban.actions        [20403]: NOTICE  [sshd] 175.6.5.52 already banned
2018-12-04 05:43:38,287 fail2ban.filter         [20403]: INFO    [dovecot] Found 185.234.219.254
2018-12-04 05:43:42,130 fail2ban.filter         [20403]: INFO    [postfix-sasl] Found 185.234.219.254