Fail2ban

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Installing Fail2ban)
(Removing Fail2ban Block)
 
(12 intermediate revisions by one user not shown)
Line 15: Line 15:
  
 
Code:
 
Code:
  Chain fail2ban-ssh (1 references)
+
  Chain fail2ban-SSH (1 references)
 
  num  target    prot opt source              destination
 
  num  target    prot opt source              destination
 
  1    DROP      all  --  204.110.13.107      anywhere
 
  1    DROP      all  --  204.110.13.107      anywhere
Line 32: Line 32:
  
 
Code:
 
Code:
  iptables -D fail2ban-ssh 2
+
  iptables -D fail2ban-SSH 2
  
 
Reference:  
 
Reference:  
 
http://www.howtoforge.com/forums/showthread.php?t=51366&page=2
 
http://www.howtoforge.com/forums/showthread.php?t=51366&page=2
 
  
 
==Installing Fail2ban==
 
==Installing Fail2ban==
Line 44: Line 43:
 
This is an advanced setup, and requires using the terminal to install and modify files.  
 
This is an advanced setup, and requires using the terminal to install and modify files.  
  
====Install IceFloor====
+
<ol>
IceFloor is an open-source graphical front-end for [http://www.openbsd.org/faq/pf/ pf], the default built-in firewall for OS X.  
+
<li> Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads</li>
 +
<li> Unpack by double clicking or command line</li>
 +
$ tar xvfj fail2ban-0.8.14.tar.bz2
 +
<li>Go into the folder and run the following command to install Fail2ban</li>
 +
$ cd fail2ban-0.8.14
 +
$ sudo python setup.py install
 +
<li>Copy the init scipt to the launchdaemon directory</li>
 +
$ sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
 +
<li>Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with ''<?xml ...''</li>
 +
$ sudo nano /Library/LaunchDaemons/org.fail2ban.plist
 +
<li>Make a log file and give it proper permissions</li>
 +
$ sudo touch /var/log/fail2ban.log
 +
$ sudo chgrp admin /var/log/fail2ban.log
 +
<li>Add these two lines to /etc/pf.conf</li>
 +
table <fail2ban> persist
 +
block drop log quick from <fail2ban> to any
 +
<li>Create /etc/fail2ban/jail.local file. Working jail.local file can be downloaded here ###needs url###</li>
 +
<li>Shutdown pf, reload the configuration and restart</li>
 +
$ sudo pfctl -d
 +
$ sudo pfctl -f /etc/pf.conf
 +
$ sudo pfctl -e
 +
<li>Edit the following lines in /etc/sshd_config</li>
 +
useDNS no
 +
PermitRootLogin no
 +
<li>Start the fail2ban client</li>
 +
$ sudo /usr/local/bin/fail2ban-client start
 +
<li>Check your fail2ban logfile in Console.app or look at the pf fail2ban table to see if any addresses are blocked</li>
 +
$ sudo pfctl -t fail2ban -T show
 +
<li></li>
 +
</ol>
 +
 
 +
 
  
# Download and install '''IceFloor''': http://www.hanynet.com/icefloor/
+
=====Optional Installs=====
# Open '''IceFloor''' and enter your '''login''' password
+
# Install [[IceFloor]]
# Read the Welcome Wizard and skip installing the '''IceFloor Menulet'''
+
# Install Xcode and MacPorts: https://guide.macports.org/chunked/installing.html
# Open the '''Options''' tab
+
# Check the '''Enable Emerging Threats...''' line and '''Enable <sshguard>...''' line
+
# Open the Help tab and click on '''Configuration Wizard'''
+
# Enter your '''login''' password and click '''Continue'''
+
# On the "Allow Inbound Connections" page, select the following and click '''Next'''
+
#* Remote login (SSH)
+
#* iChat, Message and iPhoto
+
#* ICMP protocol
+
#* If you use iTunes, you should also enable '''iTunes sharing''' and '''Airplay'''
+
# On the "Allow outbound connections" page, leave the default '''Allow all outbound connection''' and click '''Next'''
+
#* If you are sure of what you are doing, you can limit outbound connections...doing this has the most chance of breaking something
+
# Check '''Enable Emerging Threats protection''' and click '''Save configuration'''
+
# Enter your '''login''' password
+
# Click the '''Start PF''' button and agree to the warning
+
# Enter your '''login''' password again...
+
# Choose '''yes''' to start PF rules at startup
+
  
If you are using the ECE Crashplan app, please add a custom rule to Icefloor
 
# Open '''IceFloor'''
 
# Open the '''Firewall''' tab
 
# Under the '''Services in selected Address Group''' box, click the '''pencil''' icon
 
# Click '''Add new custom service'''
 
# Enter "Crashplan" and "4242" for the '''Service Name''' and '''Ports''', and click '''Add service'''
 
# Close the '''Add or Remove services...''' window
 
# Now select the '''+''' (plus) icon under Services, and select the '''Crashplan''' service you created
 
# Enter your '''login''' password, click '''Apply''', and enter your '''login''' password again.
 
  
====Install MacPorts====
 
 
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
 
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
 
  ^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
 
  ^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$

Latest revision as of 10:40, 7 February 2015

Contents

[edit] Fail2ban

We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts.

[edit] Removing Fail2ban Block

If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables.

To unban an IP address manually, it is necessary to know the chain name and the rule number. The following command can be used to acquire this information:

Code:

iptables -L -n --line-numbers

The relevant bits are at the end of the output. Here is an example chain with attendant rules:

Code:

Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    DROP       all  --  204.110.13.107       anywhere
2    DROP       all  --  1.234.20.21          anywhere
3    DROP       all  --  gw-tair-rp.rel.com.ua  anywhere
4    RETURN     all  --  anywhere             anywhere

In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).

To unban an IP address, you would run the following command:

Code:

iptables -D [chain-name] [line-number]

To unban the IP address 1.234.20.21 (see above), the command would be:

Code:

iptables -D fail2ban-SSH 2

Reference: http://www.howtoforge.com/forums/showthread.php?t=51366&page=2

[edit] Installing Fail2ban

[edit] OS X

This is an advanced setup, and requires using the terminal to install and modify files.

  1. Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads
  2. Unpack by double clicking or command line
  3. $ tar xvfj fail2ban-0.8.14.tar.bz2
    
  4. Go into the folder and run the following command to install Fail2ban
  5. $ cd fail2ban-0.8.14
    $ sudo python setup.py install
    
  6. Copy the init scipt to the launchdaemon directory
  7. $ sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
    
  8. Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with <?xml ...
  9. $ sudo nano /Library/LaunchDaemons/org.fail2ban.plist
    
  10. Make a log file and give it proper permissions
  11. $ sudo touch /var/log/fail2ban.log
    $ sudo chgrp admin /var/log/fail2ban.log
    
  12. Add these two lines to /etc/pf.conf
  13. table <fail2ban> persist
    block drop log quick from <fail2ban> to any
    
  14. Create /etc/fail2ban/jail.local file. Working jail.local file can be downloaded here ###needs url###
  15. Shutdown pf, reload the configuration and restart
  16. $ sudo pfctl -d
    $ sudo pfctl -f /etc/pf.conf
    $ sudo pfctl -e
    
  17. Edit the following lines in /etc/sshd_config
  18. useDNS no
    PermitRootLogin no
    
  19. Start the fail2ban client
  20. $ sudo /usr/local/bin/fail2ban-client start
    
  21. Check your fail2ban logfile in Console.app or look at the pf fail2ban table to see if any addresses are blocked
  22. $ sudo pfctl -t fail2ban -T show
    


[edit] Optional Installs
  1. Install IceFloor
  2. Install Xcode and MacPorts: https://guide.macports.org/chunked/installing.html


add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf

^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
Views
Personal tools
Support