Version 1.0
\nAuthor: Falko Timme <ft [at] falkotimme [dot] com>
\nLast edited 08\/08\/2008<\/p>\n\n\n\n
In this article I will show how to install and configure fail2ban<\/a> on a Fedora 9 system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address\/host by blocking it with an iptables firewall rule.<\/p>\n\n\n\n This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!<\/p>\n\n\n\n Fail2ban is similar to DenyHosts<\/a> which I covered in this tutorial: http:\/\/www.howtoforge.com\/preventing_ssh_dictionary_attacks_with_denyhosts<\/a>, but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using \/etc\/hosts.deny only to block IP addresses\/hosts, fail2ban can use iptables and \/etc\/hosts.deny.<\/p>\n\n\n\n In this example I will configure fail2ban to monitor login attempts to the SSH server, the Proftpd server, login attempts to .htaccess\/.htpasswd protected web sites, to Courier POP3 and Courier IMAP, and to SASL (for sending emails). I will install the fail2ban package that is available for Fedora 9. It comes with a default configuration, but unfortunately that configuration doesn\u2019t quite work for most of the aforementioned services. Therefore I will create a customized fail2ban configuration that I have tested and that works for me.<\/p>\n\n\n\n Fail2ban can be installed as follows:<\/p>\n\n\n\n yum install fail2ban<\/p>\n\n\n\n Then we must create the system startup links for fail2ban and start it:<\/p>\n\n\n\n chkconfig \u2013levels 235 fail2ban on You will find all fail2ban configuration files in the \/etc\/fail2ban directory.<\/p>\n\n\n\n The default behaviour of fail2ban is configured in the file \/etc\/fail2ban\/jail.conf. Take a look at it, it\u2019s not hard to understand. There\u2019s a [DEFAULT] section that applies to all other sections unless the default options are overriden in the other sections.<\/p>\n\n\n\n I explain some of the configuration options here:<\/p>\n\n\n\n This is what my \/etc\/fail2ban\/jail.conf file looks like:<\/p>\n\n\n\n vi \/etc\/fail2ban\/jail.conf<\/p>\n\n\n\n \u2013<\/p>\n\n\n\n # Fail2Ban configuration file # The DEFAULT allows a global definition of the options. They can be override [DEFAULT]<\/p>\n\n\n\n # \u201cignoreip\u201d can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # \u201cbantime\u201d is the number of seconds that a host is banned. # A host is banned if it has generated \u201cmaxretry\u201d during the last \u201cfindtime\u201d # \u201cmaxretry\u201d is the number of failures before a host get banned. # \u201cbackend\u201d specifies the backend used to get files modification. Available [ssh-iptables]<\/p>\n\n\n\n enabled = true [proftpd-iptables]<\/p>\n\n\n\n enabled = true [sasl-iptables]<\/p>\n\n\n\n enabled = true [apache-tcpwrapper]<\/p>\n\n\n\n enabled = true [postfix-tcpwrapper]<\/p>\n\n\n\n enabled = true [courierpop3]<\/p>\n\n\n\n enabled = true [courierimap]<\/p>\n\n\n\n enabled = true [ssh-tcpwrapper]<\/p>\n\n\n\n enabled = false [vsftpd-notification]<\/p>\n\n\n\n enabled = false [vsftpd-iptables]<\/p>\n\n\n\n enabled = false [apache-badbots]<\/p>\n\n\n\n enabled = false [apache-shorewall]<\/p>\n\n\n\n enabled = false [ssh-ipfw]<\/p>\n\n\n\n enabled = false [named-refused-udp]<\/p>\n\n\n\n enabled = false [named-refused-tcp]<\/p>\n\n\n\n enabled = false \u2013<\/p>\n\n\n\n My client computer has the static IP address 192.168.0.99, and because I don\u2019t want to be locked out, I\u2019ve added it to the ignoreip list.<\/p>\n\n\n\n I want to control login attempts to SSH, Apache, Proftpd, Courier-POP3, Courier-IMAP, and Sasl, so I\u2019ve set enabled to true for these services and to false for all other services. Please note that some services such as SSH can be blocked either by iptables or by TCPWrappers (\/etc\/hosts.deny). Decide for yourself which method you prefer.<\/p>\n\n\n\n Make sure to replace the email address you@mail.com with your own email address so that you get notified when someone gets blocked by fail2ban.<\/p>\n\n\n\n If you compare the file with the default \/etc\/fail2ban\/jail.conf, you\u2019ll also notice that I\u2019ve changed some log files because the log files in the default \/etc\/fail2ban\/jail.conf are not correct for Fedora 9.<\/p>\n\n\n\n Whenever we modify the fail2ban configuration, we must restart fail2ban, so this is what we do now:<\/p>\n\n\n\n \/etc\/init.d\/fail2ban restart<\/p>\n\n\n\n That\u2019s it already. Fail2ban logs to \/var\/log\/fail2ban.log, so you can check that file to find out if\/what hosts got blocked. If a host got blocked by fail2ban, it looks like this:<\/p>\n\n\n\n 2008-08-08 17:49:09,466 fail2ban.actions: WARNING [apache-tcpwrapper] Ban 1.2.3.4 You can also check your firewall to see if any hosts are currently blocked. Simply run<\/p>\n\n\n\n iptables -L<\/p>\n\n\n\n For services that use TCPWrappers to block hosts, take a look at \/etc\/hosts.deny.<\/p>\n\n\n\n Preventing Brute Force Attacks With Fail2ban On Fedora 9 Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 08\/08\/2008 In this article I will show how to install and configure fail2ban on a Fedora 9 system. Fail2ban … Continue reading 1 Preliminary Note<\/h3>\n\n\n\n
2 Installing fail2ban<\/h3>\n\n\n\n
\n\/etc\/init.d\/fail2ban start<\/p>\n\n\n\n3 Configuring fail2ban<\/h3>\n\n\n\n
\n#
\n# Author: Cyril Jaquier
\n#
\n# $Revision: 617 $
\n#<\/p>\n\n\n\n
\n# in each jail afterwards.<\/p>\n\n\n\n
\n# ban a host which matches an address in this list. Several addresses can be
\n# defined using space separator.
\nignoreip = 127.0.0.1 192.168.0.99<\/p>\n\n\n\n
\nbantime = 600<\/p>\n\n\n\n
\n# seconds.
\nfindtime = 600<\/p>\n\n\n\n
\nmaxretry = 3<\/p>\n\n\n\n
\n# options are \u201cgamin\u201d, \u201cpolling\u201d and \u201cauto\u201d. This option can be overridden in
\n# each jail too (use \u201cgamin\u201d for a jail and \u201cpolling\u201d for another).
\n#
\n# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
\n# is not installed, Fail2ban will use polling.
\n# polling: uses a polling algorithm which does not require external libraries.
\n# auto: will choose Gamin if available and polling otherwise.
\nbackend = auto<\/p>\n\n\n\n
\nfilter = sshd
\naction = iptables[name=SSH, port=ssh, protocol=tcp]
\n sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
\nlogpath = \/var\/log\/secure
\nmaxretry = 5<\/p>\n\n\n\n
\nfilter = proftpd
\naction = iptables[name=ProFTPD, port=ftp, protocol=tcp]
\n sendmail-whois[name=ProFTPD, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nmaxretry = 6<\/p>\n\n\n\n
\nfilter = sasl
\nbackend = polling
\naction = iptables[name=sasl, port=smtp, protocol=tcp]
\n sendmail-whois[name=sasl, dest=you@mail.com]
\nlogpath = \/var\/log\/maillog<\/p>\n\n\n\n
\nfilter = apache-auth
\naction = hostsdeny
\nlogpath = \/var\/log\/httpd\/*error_log
\nmaxretry = 6<\/p>\n\n\n\n
\nfilter = postfix
\naction = hostsdeny
\n sendmail[name=Postfix, dest=you@mail.com]
\nlogpath = \/var\/log\/maillog
\nbantime = 300<\/p>\n\n\n\n
\nport = pop3
\nfilter = courierlogin
\naction = iptables[name=%(__name__)s, port=%(port)s]
\nlogpath = \/var\/log\/maillog
\nmaxretry = 5<\/p>\n\n\n\n
\nport = imap2
\nfilter = courierlogin
\naction = iptables[name=%(__name__)s, port=%(port)s]
\nlogpath = \/var\/log\/maillog
\nmaxretry = 5<\/p>\n\n\n\n
\nfilter = sshd
\naction = hostsdeny
\n sendmail-whois[name=SSH, dest=you@mail.com]
\nignoreregex = for myuser from
\nlogpath = \/var\/log\/secure<\/p>\n\n\n\n
\nfilter = vsftpd
\naction = sendmail-whois[name=VSFTPD, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nmaxretry = 5
\nbantime = 1800<\/p>\n\n\n\n
\nfilter = vsftpd
\naction = iptables[name=VSFTPD, port=ftp, protocol=tcp]
\n sendmail-whois[name=VSFTPD, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nmaxretry = 5
\nbantime = 1800<\/p>\n\n\n\n
\nfilter = apache-badbots
\naction = iptables-multiport[name=BadBots, port=”http,https”]
\n sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
\nlogpath = \/var\/log\/httpd\/*access_log
\nbantime = 172800
\nmaxretry = 1<\/p>\n\n\n\n
\nfilter = apache-noscript
\naction = shorewall
\n sendmail[name=Apache, dest=you@mail.com]
\nlogpath = \/var\/log\/httpd\/error_log<\/p>\n\n\n\n
\nfilter = sshd
\naction = ipfw[localhost=192.168.0.1]
\n sendmail-whois[name=”SSH,IPFW”, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nignoreip = 168.192.0.1<\/p>\n\n\n\n
\nfilter = named-refused
\naction = iptables-multiport[name=Named, port=”domain,953″, protocol=udp]
\n sendmail-whois[name=Named, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nignoreip = 168.192.0.1<\/p>\n\n\n\n
\nfilter = named-refused
\naction = iptables-multiport[name=Named, port=”domain,953″, protocol=tcp]
\n sendmail-whois[name=Named, dest=you@mail.com]
\nlogpath = \/var\/log\/secure
\nignoreip = 168.192.0.1<\/p>\n\n\n\n
\n2008-08-08 18:08:33,213 fail2ban.actions: WARNING [sasl-iptables] Ban 1.2.3.4
\n2008-08-08 18:26:37,769 fail2ban.actions: WARNING [courierlogin] Ban 1.2.3.4
\n2008-08-08 18:39:06,765 fail2ban.actions: WARNING [courierimap] Ban 1.2.3.4<\/p>\n\n\n\nLinks<\/h3>\n\n\n\n