Friday, November 9, 2012

Configure fail2ban in Fedora server

If you need to monitor or mail the unauthorized login to linux server fail2ban is perfect tool for that purpose. It will trace the unauthorized access by looking at secure log file and will mail it to mention email address ( by default root ).

To install fail2ban use the yum command
  • yum -y install fail2ban
Change the configuration settings

Need to configure below files in roder to work fail2ban properly.

  1. /etc/fail2ban/jail.conf
  2. /etc/fail2ban/action.d/sendmail-whois.conf
  3. /etc/fail2ban/filter.d/sshd.conf

First go to jail.conf file and change the below configuration

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

Add your internal IP range to the ignore IP address

# "bantime" is the number of seconds that a host is banned.
bantime = 600

The defualt ban time is 10 minutes and if you want to increase banned time then change above setting and time calculate in Seconds.

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Either you can change maxretry level here or in particular service directory which will meet u below.

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=chamara@nic.lk, sender=fail2ban@ukusu.nic.lk]
logpath = /var/log/secure
maxretry = 3

In the above settings enabled should be true and in dest and sender you should edit as necessary to enable your mail fascility. Even if you didn't mention mail IDs then it will forwarded to root mail folder.
Note : If you use diffenrnt port and different protocol for SSH then you should port=ssh and protocol=tcp accordingly.

In sendmail-whois.conf comment the bewlo lines if you don not need the fail2ban service start and stop mails.

#actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
# From: Fail2Ban <<sender>>
# To: <dest>\n
# Hi,\n
# The jail <name> has been started successfully.\n
# Regards,\n
# Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
#actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
# From: Fail2Ban <<sender>>
# To: <dest>\n
# Hi,\n
# The jail <name> has been stopped.\n
# Regards,\n
# Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>


In sshd.conf just go through that file and check if there is unwanted filtering for ssh ban.

Enjoy with the fail2ban service for SSH. 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)