Fail2ban

From Notes_Wiki
Revision as of 14:51, 2 April 2016 by Saurabh (talk | contribs)

<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>

fail2ban

fail2ban is a useful tool for blocking bruteforce attacks. Compared to other tools such as denyhosts it is more generic. Various regular expressions are mentioned in /etc/fail2ban/filter.d/conf files. Then in /etc/fail2ban/jail.conf appropriate log file name and iptables (tcp/udp) ports are mentioned to be blocked based on failed attempts to given service. Multiple defaults for squid, apache, mail, etc. are already present and only need to be enabled.

Steps for installing fail2ban are:

  1. Setup epel repository (yum -y install epel-release)
  2. yum -y install fail2ban
  3. service fail2ban start
  4. chkconfig fail2ban on

For CentOS 7 refer to http://unix.stackexchange.com/questions/171567/installing-fail2ban-on-centos-7 including information on configuring fail2ban with SELinux enabled. Following links also have useful information:


Automated fail2ban installation

Automated fail2ban installation via ansible can be achieved using:

vars:
  epel_download_url: http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
  epel_download_path: /root/epel-release-6-8.noarch.rpm

tasks:
#Setup epel for downloading fail2ban
  - name: Download epel RPM
    get_url: url="{{ epel_download_url }}" dest="{{epel_download_path}}" timeout=5
    environment: proxy_env

  - name: Install epel RPM
    yum: name="{{epel_download_path}}" state=present
    environment: proxy_env


#Install fail2ban and enable it on startup
  - name: Install fail2ban
    yum: name=fail2ban state=present

  - name: Start and enable fail2ban service
    service: name=fail2ban state=started enabled=yes


Configuring fail2ban

To configure fail2ban according to our needs use following steps:

  1. Install fail2ban as described above
  2. Create a local configuration file to override defaults using 'cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local'
  3. Edit jail.local as follows:
    1. Configure ignoreip, bantime, findtime and maxretry values
    2. Enable protection of appropriate services by setting 'enabled=true' for respective service
  4. Optionally look at mail related configuration at '/etc/fail2ban/action.d/sendmail-whois.conf'
  5. Restart fail2ban for changes to take effect
  6. Look at iptables-save output to see current filter rules added by fail2ban


<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>