Fail2ban

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
Line 35: Line 35:
 
Reference:  
 
Reference:  
 
http://www.howtoforge.com/forums/showthread.php?t=51366&page=2
 
http://www.howtoforge.com/forums/showthread.php?t=51366&page=2
 +
 +
 +
==Setup Fail2ban==
 +
 +
===OS X===
 +
 +
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
 +
^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$

Revision as of 13:29, 4 December 2014

Fail2ban

We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts.

If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables.

To unban an IP address manually, it is necessary to know the chain name and the rule number. The following command can be used to acquire this information:

Code:

iptables -L -n --line-numbers

The relevant bits are at the end of the output. Here is an example chain with attendant rules:

Code:

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    DROP       all  --  204.110.13.107       anywhere
2    DROP       all  --  1.234.20.21          anywhere
3    DROP       all  --  gw-tair-rp.rel.com.ua  anywhere
4    RETURN     all  --  anywhere             anywhere

In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).

To unban an IP address, you would run the following command:

Code:

iptables -D [chain-name] [line-number]

To unban the IP address 1.234.20.21, the command would be:

Code:

iptables -D fail2ban-ssh 2


Reference: http://www.howtoforge.com/forums/showthread.php?t=51366&page=2


Setup Fail2ban

OS X

add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf

^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
Views
Personal tools
Support