Fail2ban: Unterschied zwischen den Versionen

Aus crazylinux.de
Zur Navigation springen Zur Suche springen
(init)
 
(postfix)
 
(3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
= <br>bans IPs that cause multiple authentication errors =
'''bans IPs that cause multiple authentication errors'''


Monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. The software was completely rewritten at version 0.7.0 and now allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email. Currently, by default, supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls.  
Monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. The software was completely rewritten at version 0.7.0 and now allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email. Currently, by default, supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls.  
Zeile 11: Zeile 11:
syslog<br>  
syslog<br>  
<pre> Jan 27 09:32:58 hostname pure-ftpd: (?@81.169.128.26) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
<pre> Jan 27 09:32:58 hostname pure-ftpd: (?@81.169.128.26) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
</pre>
</pre>  
<br>  
<br>  


Zeile 41: Zeile 41:
ignoreregex =</source><br>  
ignoreregex =</source><br>  


<br>
 


== /etc/fail2ban/actions.d/shorewall.conf ==
== /etc/fail2ban/jail.local ==


<source lang="ini"># Fail2Ban configuration file
<source lang="ini">[DEFAULT]
#
banaction = shorewall
# Author: Cyril Jaquier ??? JT
action = %(action_mwl)s
#
# $Revision: 2 $
#


[Definition]
[ssh]
 
enabled = true
# Option:  fwstart
maxretry = 6
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = echo -en "Hi,\n
              The jail <name> has been started successfuly.\n
              Regards,\n
              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
 
# Option:  fwend
# # Notes.:  command executed once at the end of Fail2Ban
# # Values:  CMD
# #
actionstop = echo -en "Hi,\n
            The jail <name> has been stopped.\n
            Regards,\n
            Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
 
# Option:  fwcheck
# Notes.:  command executed once before each fwban command
# Values:  CMD
#
actioncheck =
 
# Option:  fwban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = shorewall drop <ip>
#actionban = shorewall reject <ip>
 
# Option:  fwunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = shorewall allow <ip></source>


<br>
[pam-generic]
 
== /etc/fail2ban/jail.conf  ==
 
<source lang="ini">#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
 
...
 
# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
action = shorewall[name=%(__name__)s, port=%(port)s]
          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
...
 
[ssh]
enabled = true
enabled = true
port    = 22
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
maxretry = 6
[sasl]
enabled  = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log


[pureftpd]
[pureftpd]
enabled  = true
enabled  = true
port    = 21
port    = ftp,ftp-data,ftps,ftps-data
filter  = pureftpd
filter  = pureftpd
logpath  = /var/log/syslog
logpath  = /var/log/syslog
maxretry = 6
maxretry = 6
...</source>


[[Kategorie:Linux]]
[postfix]
[[Kategorie:Debian]]
enabled  = true
[[Kategorie:Security]]
port    = smtp,ssmtp
filter  = postfix
logpath  = /var/log/mail.log
 
[dovecot]
enabled = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log
 
</source> <br> <br>
 
[[Category:Linux]] [[Category:Debian]] [[Category:Security]]

Aktuelle Version vom 23. Juli 2013, 18:08 Uhr

bans IPs that cause multiple authentication errors

Monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. The software was completely rewritten at version 0.7.0 and now allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email. Currently, by default, supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls.

Homepage: Fail2ban


Pure-Ftpd/Shorewall

syslog

 Jan 27 09:32:58 hostname pure-ftpd: (?@81.169.128.26) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.


/etc/fail2ban/filter.d/pureftpd.conf

# Fail2Ban configuration file
#
# Author: JT
#
# $Revision: 2 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values: TEXT
#
#Jan 27 09:32:58 hostname pure-ftpd: (?@81.169.128.26) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
#
failregex = pure-ftpd: \(.*@<HOST>\) \[WARNING\] Sorry, cleartext sessions are not accepted.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =




/etc/fail2ban/jail.local

[DEFAULT]
banaction = shorewall
action = %(action_mwl)s

[ssh]
enabled = true
maxretry = 6

[pam-generic]
enabled = true
maxretry = 6

[sasl]
enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[pureftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 6

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

[dovecot]
enabled = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log