Fail2ban is another neat intrusion detection program. It monitors log files for suspicious access attempts and, once it has enough of that, edits the firewall to block the offender. The really neat part is that it will unban the offending IP later on (you define how long); that usually will suffice to your garden variety automatic port scanner/dictionary attack but also would give hope to your user who just can't remember a password. There are other programs out there that will deal with ssh attacks, but fail2ban will handle many different services; I myself use it with Asterisk, mail, and web just to name a few.
But, you did not come here to hear me babbling; let's get busy and do some installing, shall we?
Installing fail2ban in RedHat/CentOS
For this example I will be using CentOS 6. YMMV.
- Get required packages. Need jwhois (for whois) from base and fail2ban from, say, epel or your favourite repository
yum install jwhois fail2ban --enablerepo=epel
whois is needed by /etc/fail2ban/action.d/sendmail-whois.conf, which is called
by /etc/fail2ban/filter.d/sshd.conf.You will also need ssmtp or some kind of MTA so fail2ban can let you know that it caught a sneaky bastard. I briefly mentioned about ssmtp in a previous post; seek and thou shalt find.
- Configure fail2ban.
- Disable everything in /etc/fail2ban/jail.conf. We'll be using /etc/fail2ban/jail.local:
sed -i -e 's/^enabled.*/enabled = false/' /etc/fail2ban/jail.conf
- Configure /etc/fail2ban/jail.local. For now, we will just have ssh enabled
HOSTNAME=`hostname -f` cat > /etc/fail2ban/jail.local << EOF # Fail2Ban jail.local configuration file. # [DEFAULT] actionban = iptables -I fail2ban-
Note we are only whitelisting the host itself. You could whitelist your lan1 -s -m comment --comment "FAIL2BAN temporary ban" -j DROP # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = raub@kudria.com # This will ignore connection coming from our networks. # Note that local connections can come from other than just 127.0.0.1, so # this needs CIDR range too. ignoreip = 127.0.0.0/8 $(dig +short $HOSTNAME) # # ACTIONS # # action = %(action_mwl)s # # JAILS # [ssh] enabled = true port = ssh filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest="%(destemail)s", sender=fail2ban@$HOSTNAME] logpath = /var/log/secure maxretry = 5 bantime = 28800 EOF
and other machines/networks if you want. Jail is a fail2ban term that defines a ruleset you want to check for, and ban as needed.
- Decide where you want fail2ban to log to. That is done in /etc/fail2ban/fail2ban.local using the logtarget variable. Some possible values could be
cat > /etc/fail2ban/fail2ban.local << EOF [Definition] # logtarget = SYSLOG logtarget = /var/log/fail2ban.log EOF
The file /etc/fail2ban/fail2ban.conf should provide you with examples on how to set that up.
- Disable everything in /etc/fail2ban/jail.conf. We'll be using /etc/fail2ban/jail.local:
- Enable fail2ban
service fail2ban restart chkconfig fail2ban on
If you now dochkconfig --list fail2ban
you should then seefail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off
And then check the fail2ban log you defined just before for any funny business. If you have set it correctly, you should see an email to destemail saying fail2ban started. Now, you will get one email per jail. So, if you just did the default (ssh), you will get one email that looks like this:Hi, The jail SSH has been started successfully. Regards, Fail2Ban.
When fail2ban bans someone, you will receive an email that looks like this:
Hi, The IP 82.205.21.200 has just been banned by Fail2Ban after 3 attempts against ASTERISK. Here are more information about 82.205.21.200: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '82.205.16.0 - 82.205.31.255' [...]
Note that it is not the SSH jail but the ASTERISk one; I just want to show a
different example. Also, the stuff before the banned message is from whois.If you do iptables -L, you will see which rule fail2ban added to iptables:
Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- 221.178.164.251 anywhere RETURN all -- anywhere anywhere
Note it creates a chain for each jail.