Difference between revisions of "Fail2ban"
(Created page with "<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb> =fail2ban= fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as deny...") |
m |
||
| Line 5: | Line 5: | ||
Steps for installing fail2ban are: | Steps for installing fail2ban are: | ||
#Setup epel repository | #Setup epel repository (yum -y install epel-release) | ||
#yum -y install fail2ban | #yum -y install fail2ban | ||
#service fail2ban start | #service fail2ban start | ||
| Line 37: | Line 37: | ||
service: name=fail2ban state=started enabled=yes | service: name=fail2ban state=started enabled=yes | ||
</pre> | </pre> | ||
==Configuring fail2ban== | |||
To configure fail2ban according to our needs use following steps: | |||
#Install fail2ban as described above | |||
#Create a local configuration file to override defaults using '<tt>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</tt>' | |||
#Edit jail.local as follows: | |||
##Configure ignoreip, bantime, findtime and maxretry values | |||
##Enable protection of appropriate services by setting '<tt>enabled=true</tt>' for respective service | |||
#Optionally look at mail related configuration at '<tt>/etc/fail2ban/action.d/sendmail-whois.conf</tt>' | |||
#Restart fail2ban for changes to take effect | |||
#Look at iptables-save output to see current filter rules added by fail2ban | |||
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb> | <yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb> | ||
Revision as of 23:29, 17 April 2015
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>
fail2ban
fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as denyhosts it is more generic. Various regular expressions are mentioned in /etc/fail2ban/filter.d/conf files. Then in /etc/fail2ban/jail.conf appropriate log file name and iptables (tcp/udp) ports are mentioned to be blocked based on failed attempts to given service. Multiple defaults for squid, apache, mail, etc. are already present and only need to be enabled.
Steps for installing fail2ban are:
- Setup epel repository (yum -y install epel-release)
- yum -y install fail2ban
- service fail2ban start
- chkconfig fail2ban on
Automated fail2ban installation
Automated fail2ban installation via ansible can be achieved using:
vars:
epel_download_url: http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
epel_download_path: /root/epel-release-6-8.noarch.rpm
tasks:
#Setup epel for downloading fail2ban
- name: Download epel RPM
get_url: url="{{ epel_download_url }}" dest="{{epel_download_path}}" timeout=5
environment: proxy_env
- name: Install epel RPM
yum: name="{{epel_download_path}}" state=present
environment: proxy_env
#Install fail2ban and enable it on startup
- name: Install fail2ban
yum: name=fail2ban state=present
- name: Start and enable fail2ban service
service: name=fail2ban state=started enabled=yes
Configuring fail2ban
To configure fail2ban according to our needs use following steps:
- Install fail2ban as described above
- Create a local configuration file to override defaults using 'cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local'
- Edit jail.local as follows:
- Configure ignoreip, bantime, findtime and maxretry values
- Enable protection of appropriate services by setting 'enabled=true' for respective service
- Optionally look at mail related configuration at '/etc/fail2ban/action.d/sendmail-whois.conf'
- Restart fail2ban for changes to take effect
- Look at iptables-save output to see current filter rules added by fail2ban
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>
