Fail2ban install and setup
Installation
sudo yum install fail2bansudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban
Overview
Fail2ban log file is /var/log/fail2ban.logFail2ban analyzes log files in logpath (default paths are in /etc/fail2ban/paths-*.conf files) and finds patterns which are described in filter (filter names are file-names inside /etc/fail2ban/filter.d directory) if IP is not in ignoreip. When found pattern repeated maxretry times during findtime seconds, then one or more actions (action names are file-names are inside /etc/fail2ban/action.d) is performed and the effect of an action is continued during bantime seconds.
Initial setup
Configuration parts related to some port, logpath are called jails. By default all jails are disabled.All .local files are parsed after .conf files in the original configuration file and files under .d directory. Settings in the file parsed later take precedence over identical entries in previously parsed files.
Let's setup our own defaults:
vi /etc/fail2ban/jail.d/default.conf and add below:
[DEFAULT]
maxretry = 4
findtime = 86400
bantime = 86400 #to make permanet (forever) ban use bantime=-1
action = iptables-allports[name="ALL"]
#ignoreip = 127.0.0.1/8 #don't use this subnet ignore
[DEFAULT] is the default jail name, so settings inside this jail are inherited by all other jails and if needed one can change this defaults inside other jail.
Understanding iptables related actions:
1) actionstart from the [Definition] section is used to perform an action
2) from Fail2ban version 0.10.0 actionstart is performed at the first ban (iptables rule will be created only when some IP is banned)
3) to create rule for action before actual ban, use actionstart_on_demand=false for each specified iptables action
4) parameters for action are between "<" and ">" brackets
5) so for if we use iptables action:
First review actionstart:
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
Write your action (below is an example, you can assign not all but some of the parameters and remain the rest unchanged):
action = iptables[name="SSHD", protocol="tcp", port="22"]
To see all Fail2ban active configuration:
fail2ban-client -d
Check filter work:
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd.conf
Check filter work:
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd.conf
SSH
add new jail for ssh protocol:
vi /etc/fail2ban/jail.d/sshd.conf
[sshd]
enabled = true
port = ssh
filter = sshd
action = iptables[name="SSHD", protocol="tcp", port="22"]
logpath = /var/log/secure
maxretry = 3
Asterisk
vi /etc/fail2ban/jail.d/asterisk.conf
[asterisk]
enabled=true
maxretry=5
bantime=-1
Postfix
vi /etc/fail2ban/jail.d/postfix-aggressive.conf
[postfix]
mode=aggressive
enabled = true
logpath = /var/log/maillog
maxretry = 3
[postfix]
mode=aggressive
enabled = true
logpath = /var/log/maillog
maxretry = 3
Dovecot
vi /etc/fail2ban/jail.d/dovecot.conf
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/dovecot
maxretry = 3
Unbanning and monitoring bans
To view configured (active) jails:
fail2ban-client status
To view current ban statistics (filter and actions) and current bans (if any) for specified jail:
fail2ban-client status sshd
To unban IP (example of unbanning IP from sshd jail):
fail2ban-client set sshd unbanip 192.168.1.1
Also we can use iptables for viewing of rules and unbanning:
1) View rules along with their numbers:
iptables -L -n --line-numbers
2) Unban (example is for SSHD by deleting rule with IP address to unban:
iptables -D f2b-SSHD 1