wiki:Administrators/Admin/Fail2ban

Fail2ban integration

Fail2ban server log format is supported starting from ArrowBilling version 2.3.2.

Fail Messages

Login failure:

YYYY-MM-DD HH:MM:SS|2||BADLOGIN: Failed login attempt from <ip_address> to reseller area

SQL injection attempt:

2013-02-16 23:51:29|2||SECURITY: Possible SQL Injection detected from <ip_address> (description follows)

Filter Regex for login failure

file: /etc/fail2ban/filter.d/dtl_http.conf

[Definition]

failregex = BADLOGIN: Failed login attempt from <HOST>

Filter Regex for SQL injection prevention

/etc/fail2ban/filter.d/dtl_http_sql.conf

[Definition]
failregex = SECURITY: Possible SQL Injection detected from <HOST>

Filter Regex for bad useragent strings

file: /etc/fail2ban/filter.d/bad_useragent.conf

[Definition]
failregex = ^<HOST> .*\) Havij\"$
        ^<HOST> .*sqlmap.*$

Jail

file: /etc/fail2ban/jail.conf:

[dtl_http]
enabled  = true
filter   = dtl_http
port     = http,https
action   = iptables-allports[name=DTLHTTP, protocol=all]
          sendmail-whois[name=DTLHTTP, dest=you@yourdomain.com]
logpath  = /var/log/dtl_debug.log
maxretry = 10
findtime = 120
bantime = 3600

[dtl_http_sql]
enabled  = true
filter   = dtl_http_sql
port     = http,https
action   = iptables-allports[name=DTLHTTPSQL, protocol=all]
          sendmail-whois[name=DTLHTTPSQL, dest=you@yourdomain.com]
logpath  = /var/log/dtl_debug.log
maxretry = 5
findtime = 600
bantime = 3600

[bad_useragent]
enabled  = true
port     = 80,443
protocol = tcp
filter   = bad_useragent
maxretry = 1
findtime = 60
bantime  = 86400
logpath  = /var/log/apache2/*access.log
action   = iptables-allports[name=BADUSERAGNT, protocol=all]
          sendmail-whois[name=BADUSERAGENT, dest=you@yourdomain.com]



FreeBSD

Setting up fail2ban on FreeBSD

Fail2ban is in ports: security/py-fail2ban

# cd /usr/ports/security/py-fail2ban/
# make install clean

configuration directory is: /usr/local/etc/fail2ban/

enable fail2ban in /etc/rc.conf:

fail2ban_enable="YES"

manual start

# /usr/local/etc/rc.d/fail2ban start

To execute ipfw command, use existing ipfw.conf file from /action.d/ directory:

# cd /usr/local/etc/fail2ban/action.d/
# cp ipfw.conf ipfw-http.conf

and replace lines:

port = ssh

by

port = http,https

and

actionban = ipfw add deny tcp from <ip> to <localhost> <port>

by

actionban = ipfw 04000 add deny tcp from <ip> to <localhost> <port>

the rule number 01000 is reasonably in the middle to be before default "65000 allow ip from any to any" rule

in jail.conf, use action:

action   = ipfw-http[localhost=XX.XX.XX.XX]

it will run ipfw command from action.d/ipfw-http.conf instead of iptables. Replace XX.XX.XX.XX by real IP of the server.

Setting up ipfw

FreeBSD uses ipfw instead of iptables.

To enable ipfw:

firewall_enable="YES"
firewall_type="OPEN"

To load kernel module for ipfw on the remote machine, and not loose access to it, execute in one go:

# kldload ipfw ; sysctl net.inet.ip.fw.enable=0

Apply open firewall rules by restarting ipfw service:

/etc/rc.d/ipfw restart

Tuning Fail2ban

To adjust ban conditions and timeouts, edit /usr/local/etc/fail2ban/jail.conf and look the section:

[dtl_http]
.....skipped .....
maxretry = 5
findtime = 120
bantime = 60

always restart fail2ban for changes to take effect:

# /usr/local/etc/rc.d/fail2ban restart

FreeBSD notes

If you wish to ban ssh failures on FreeBSD, you will need to modify default filter.d/sshd.conf file by adding

            ^%(__prefix_line)s(?:error: PAM: )?authentication error for .* from <HOST>\s*$

to the failregex.

The log file on FreeBSD is /var/log/auth.log

Last modified 5 years ago Last modified on Feb 21, 2013, 9:36:49 AM