Saturday, January 6, 2018

how to Install Fail2ban security Tool in centos 6 & comands 

installing fail2ban *****************

1)  CentOS/RHEL 6, 64 Bit x86_64):
    # rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm


2)  # yum install fail2ban

3) cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


4)  # /etc/fail2ban/jail.conf


*********************************************************************************************************************

Basic configurations are listed under the [DEFAULT] heading in the configuration file for fail2ban.
Examples:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3



*******************************************************************************************************************


How to protect SSH/SFTP using fail2ban ?

After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.

Example:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

# service fail2ban restart

*********************************************************************************************************
Protect your FTP server by using fail2ban:

Example:

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
# service fail2ban restart





@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


[[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.101 192.168.1.102
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = true
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5/HTML] this is the file I had copied to a text doc. when I checked the file in /etc/fail3ban/jail.local it had a missing part in the front of the file. I fixed it and then restarted it and got this. Is this corect responce after the restart? (Restarting authentication failure monitor: fail2ban) then it ends up at the comand promp.





#######################################################################


/etc/init.d/fail2ban restart




The commands presented above can be executed using:
$ fail2ban-client <COMMAND>
or by typing them in the interactive console available with:
$ fail2ban-client -i

Contents [hide] 
1 BASIC
2 LOGGING
3 DATABASE
4 JAIL CONTROL
5 JAIL CONFIGURATION
6 COMMAND ACTION CONFIGURATION
7 GENERAL ACTION CONFIGURATION
8 JAIL INFORMATION
9 COMMAND ACTION INFORMATION
10 GENERAL ACTION INFORMATION
BASIC
Command  Description
start  starts the server and the jails
reload  reloads the configuration
reload <JAIL>  reloads the jail <JAIL>
stop  stops all jails and terminate the server
status  gets the current status of the server
ping  tests if the server is alive
help  return this output
LOGGING
Command  Description
set loglevel <LEVEL>  sets logging level to <LEVEL>. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
get loglevel  gets the logging level
set logtarget <TARGET>  sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file
get logtarget  gets logging target
flushlogs  flushes the logtarget if a file and reopens it. For log rotation.
DATABASE
Command  Description
set dbfile <FILE>  set the location of fail2ban persistent datastore. Set to "None" to disable
get dbfile  get the location of fail2ban persistent datastore
set dbpurgeage <SECONDS>  sets the max age in <SECONDS> that history of bans will be kept
get dbpurgeage  gets the max age in seconds that history of bans will be kept
JAIL CONTROL
Command  Description
add <JAIL> <BACKEND>  creates <JAIL> using <BACKEND>
start <JAIL>  starts the jail <JAIL>
stop <JAIL>  stops the jail <JAIL>. The jail is removed
status <JAIL>  gets the current status of <JAIL>
JAIL CONFIGURATION
Command  Description
off  sets the idle state of <JAIL>
set <JAIL> addignoreip <IP>  adds <IP> to the ignore list of <JAIL>
set <JAIL> delignoreip <IP>  removes <IP> from the ignore list of <JAIL>
set <JAIL> addlogpath <FILE> ['tail']  adds <FILE> to the monitoring list of <JAIL>, optionally starting at the 'tail' of the file (default 'head').
set <JAIL> dellogpath <FILE>  removes <FILE> from the monitoring list of <JAIL>
set <JAIL> logencoding <ENCODING>  sets the <ENCODING> of the log files for <JAIL>
set <JAIL> addjournalmatch <MATCH>  adds <MATCH> to the journal filter of <JAIL>
set <JAIL> deljournalmatch <MATCH>  removes <MATCH> from the journal filter of <JAIL>
set <JAIL> addfailregex <REGEX>  adds the regular expression <REGEX> which must match failures for <JAIL>
set <JAIL> delfailregex <INDEX>  removes the regular expression at <INDEX> for failregex
set <JAIL> ignorecommand <VALUE>  sets ignorecommand of <JAIL>
set <JAIL> addignoreregex <REGEX>  adds the regular expression <REGEX> which should match pattern to exclude for <JAIL>
set <JAIL> delignoreregex <INDEX>  removes the regular expression at <INDEX> for ignoreregex
set <JAIL> findtime <TIME>  sets the number of seconds <TIME> for which the filter will look back for <JAIL>
set <JAIL> bantime <TIME>  sets the number of seconds <TIME> a host will be banned for <JAIL>
set <JAIL> datepattern <PATTERN>  sets the <PATTERN> used to match date/times for <JAIL>
set <JAIL> usedns <VALUE>  sets the usedns mode for <JAIL>
set <JAIL> banip <IP>  manually Ban <IP> for <JAIL>
set <JAIL> unbanip <IP>  manually Unban <IP> in <JAIL>
set <JAIL> maxretry <RETRY>  sets the number of failures <RETRY> before banning the host for <JAIL>
set <JAIL> maxlines <LINES>  sets the number of <LINES> to buffer for regex search for <JAIL>
set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>]  adds a new action named <NAME> for <JAIL>. Optionally for a Python based action, a <PYTHONFILE> and <JSONKWARGS> can be specified, else will be a Command Action
set <JAIL> delaction <ACT>  removes the action <ACT> from <JAIL>
COMMAND ACTION CONFIGURATION
Command  Description
set <JAIL> action <ACT> actionstart <CMD>  sets the start command <CMD> of the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionstop <CMD>  sets the stop command <CMD> of the action <ACT> for <JAIL>
set <JAIL> action <ACT> actioncheck <CMD>  sets the check command <CMD> of the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionban <CMD>  sets the ban command <CMD> of the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionunban <CMD>  sets the unban command <CMD> of the action <ACT> for <JAIL>
set <JAIL> action <ACT> timeout <TIMEOUT>  sets <TIMEOUT> as the command timeout in seconds for the action <ACT> for <JAIL>
GENERAL ACTION CONFIGURATION
Command  Description
set <JAIL> action <ACT> <PROPERTY> <VALUE>  sets the <VALUE> of <PROPERTY> for the action <ACT> for <JAIL>
set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>]  calls the <METHOD> with <JSONKWARGS> for the action <ACT> for <JAIL>
JAIL INFORMATION
Command  Description
get <JAIL> logpath  gets the list of the monitored files for <JAIL>
get <JAIL> logencoding  gets the encoding of the log files for <JAIL>
get <JAIL> journalmatch  gets the journal filter match for <JAIL>
get <JAIL> ignoreip  gets the list of ignored IP addresses for <JAIL>
get <JAIL> ignorecommand  gets ignorecommand of <JAIL>
get <JAIL> failregex  gets the list of regular expressions which matches the failures for <JAIL>
get <JAIL> ignoreregex  gets the list of regular expressions which matches patterns to ignore for <JAIL>
get <JAIL> findtime  gets the time for which the filter will look back for failures for <JAIL>
get <JAIL> bantime  gets the time a host is banned for <JAIL>
get <JAIL> datepattern  gets the patern used to match date/times for <JAIL>
get <JAIL> usedns  gets the usedns setting for <JAIL>
get <JAIL> maxretry  gets the number of failures allowed for <JAIL>
get <JAIL> maxlines  gets the number of lines to buffer for <JAIL>
get <JAIL> actions  gets a list of actions for <JAIL>
COMMAND ACTION INFORMATION
Command  Description
get <JAIL> action <ACT> actionstart  gets the start command for the action <ACT> for <JAIL>
get <JAIL> action <ACT> actionstop  gets the stop command for the action <ACT> for <JAIL>
get <JAIL> action <ACT> actioncheck  gets the check command for the action <ACT> for <JAIL>
get <JAIL> action <ACT> actionban  gets the ban command for the action <ACT> for <JAIL>
get <JAIL> action <ACT> actionunban  gets the unban command for the action <ACT> for <JAIL>
get <JAIL> action <ACT> timeout  gets the command timeout in seconds for the action <ACT> for <JAIL>
GENERAL ACTION INFORMATION
Command  Description
get <JAIL> actionproperties <ACT>  gets a list of properties for the action <ACT> for <JAIL>
get <JAIL> actionmethods <ACT>  gets a list of methods for the action <ACT> for <JAIL>
get <JAIL> action <ACT> <PROPERTY>  gets the value of <PROPERTY> for the action <ACT> for <JAIL>
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Installation FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

SELINUX Setting:- Before installations, I recommend turning off SELinux or setting it in permissive mode:- [root@radius ~]# setenforce ...

Popular Posts