Friday, May 27, 2011

Install Fail2Ban on Centos 5.5

Credit goes to : http://www.md3v.com/install-fail2ban-on-centos-5-5
Copy and Paste version. 


#wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=transact
#tar -xf fail2ban-0.8.4.tar.bz2
#cd fail2ban-0.8.4
#python setup.py install
#cp files/redhat-initd /etc/init.d/fail2ban
#chkconfig --add fail2ban
#chkconfig fail2ban on

Once the installation is complete open the jail.conf configuration:
#nano -w /etc/fail2ban/jail.conf

Review the sections e.g. [ssh-iptables]), and change the ones you would like enabled to '= true'

You will also need to define your email address and log locations, for example:
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/sshd.log


This should become (example):
sendmail-whois[name=SSH, dest=you@yourdomain.com, sender=fail2ban@yourserversdomain.net]
logpath  = /var/log/secure


Once you have completed the configuration of the jail.conf file you will need to start fail2ban's service:
service fail2ban start

You can test the rules per service using:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf


Adjust /etc/fail2ban/jail.conf to suit, example – if your SSH daemon is on port 22 and 8899:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, port="22,8899", protocol=tcp]
sendmail-whois[name=SSH, dest=you@your-domain.net]
logpath = /var/log/secure
maxretry =5
bantime =3600

1 comment:

  1. For fail2ban asterisk.

    create /etc/fail2ban/filter.d/asterisk.conf
    and the content should be this :

    # Fail2Ban configuration file
    #
    #
    # $Revision: 250 $
    #

    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    #before = common.conf


    [Definition]

    #_daemon = asterisk

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P\S+)
    # Values: TEXT
    #

    failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
    NOTICE.* .*: Registration from '.*' failed for '' - No matching peer found
    NOTICE.* .*: Registration from '.*' failed for '' - Username/auth name mismatch
    NOTICE.* .*: Registration from '.*' failed for '' - Device does not match ACL
    NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
    NOTICE.* .*: Registration from '.*' failed for '' - ACL error (permit/deny)
    NOTICE.* failed to authenticate as '.*'$
    NOTICE.* .*: No registration for peer '.*' \(from \)
    NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
    NOTICE.* .*: Failed to authenticate user .*@.*

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =


    After that, edit /etc/fail2ban/jail.conf and put this line :

    [asterisk-iptables]

    enabled = true
    filter = asterisk
    action = iptables-allports[name=ASTERISK, protocol=all]
    sendmail-whois[name=ASTERISK, dest=youremail@domain.com, sender=fail2ban@example.org]
    logpath = /var/log/asterisk/messages
    maxretry = 5
    bantime = 259200

    ReplyDelete