Fail2ban

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Installing Fail2ban)
(OS X)
Line 44: Line 44:
 
This is an advanced setup, and requires using the terminal to install and modify files.  
 
This is an advanced setup, and requires using the terminal to install and modify files.  
  
# Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads
+
<ol>
# Unpack by double clicking or command line
+
<li> Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads</li>
 +
<li> Unpack by double clicking or command line</li>
 
  tar xvfj fail2ban-0.8.14.tar.bz2
 
  tar xvfj fail2ban-0.8.14.tar.bz2
# Go into the folder and run the following command to install Fail2ban
+
<li>Go into the folder and run the following command to install Fail2ban</li>
 
  cd fail2ban-0.8.14
 
  cd fail2ban-0.8.14
 
  sudo python setup.py install
 
  sudo python setup.py install
# Copy the init scipt to the launchdaemon directory
+
<li>Copy the init scipt to the launchdaemon directory</li>
 
  sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
 
  sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
# Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with ''<?xml ...''
+
<li>Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with ''<?xml ...''</li>
 
  sudo nano /Library/LaunchDaemons/org.fail2ban.plist
 
  sudo nano /Library/LaunchDaemons/org.fail2ban.plist
# Make a log file and give it proper permissions
+
<li>Make a log file and give it proper permissions</li>
 
  sudo touch /var/log/fail2ban.log
 
  sudo touch /var/log/fail2ban.log
 
  sudo chgrp admin /var/log/fail2ban.log
 
  sudo chgrp admin /var/log/fail2ban.log
# Add these two lines to /etc/pf.conf
+
<li>Add these two lines to /etc/pf.conf</li>
 
  table <fail2ban> persist
 
  table <fail2ban> persist
 
  block drop log quick from <fail2ban> to any
 
  block drop log quick from <fail2ban> to any
#
+
<li></li>
 
+
<li></li>
 +
<li></li>
 +
<li></li>
 +
<li></li>
 +
</ol>
  
  

Revision as of 16:04, 9 January 2015

Contents

Fail2ban

We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts.

Removing Fail2ban Block

If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables.

To unban an IP address manually, it is necessary to know the chain name and the rule number. The following command can be used to acquire this information:

Code:

iptables -L -n --line-numbers

The relevant bits are at the end of the output. Here is an example chain with attendant rules:

Code:

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    DROP       all  --  204.110.13.107       anywhere
2    DROP       all  --  1.234.20.21          anywhere
3    DROP       all  --  gw-tair-rp.rel.com.ua  anywhere
4    RETURN     all  --  anywhere             anywhere

In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).

To unban an IP address, you would run the following command:

Code:

iptables -D [chain-name] [line-number]

To unban the IP address 1.234.20.21 (see above), the command would be:

Code:

iptables -D fail2ban-ssh 2

Reference: http://www.howtoforge.com/forums/showthread.php?t=51366&page=2


Installing Fail2ban

OS X

This is an advanced setup, and requires using the terminal to install and modify files.

  1. Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads
  2. Unpack by double clicking or command line
  3. tar xvfj fail2ban-0.8.14.tar.bz2
    
  4. Go into the folder and run the following command to install Fail2ban
  5. cd fail2ban-0.8.14
    sudo python setup.py install
    
  6. Copy the init scipt to the launchdaemon directory
  7. sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
    
  8. Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with <?xml ...
  9. sudo nano /Library/LaunchDaemons/org.fail2ban.plist
    
  10. Make a log file and give it proper permissions
  11. sudo touch /var/log/fail2ban.log
    sudo chgrp admin /var/log/fail2ban.log
    
  12. Add these two lines to /etc/pf.conf
  13. table <fail2ban> persist
    block drop log quick from <fail2ban> to any
    


Optional Installs
  1. Install IceFloor
  2. Install Xcode and MacPorts: https://guide.macports.org/chunked/installing.html


add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf

^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
Views
Personal tools
Support