www.linuxexpert.ro

Tutorials

  • Home
  • BGP Tutorials
    • Remove private AS
  • cPanel Tutorials
    • Install ImageMagick on cPanel
    • Install Softaculous
  • Linux Tutorials
    • Auto-reboot Linux after kernel panic
    • Building a firewall with Iptables
    • Change array RAID 1 disk order
    • Configure ntfs-3g on Linux Slackware
    • DHCP Option Codes
    • DansGuardian with Squid and ClamAV
    • Fetchmail for Gmail accounts
    • Install Zend & APC PHP Optimizers
    • Install Atheros AR242x PCI Express Adapter
    • Install awstats with DirectAdmin
    • Install DBD::mysql via CPAN shell
    • Install DjbDNS on Ubuntu
    • Installing fail2ban on Centos 5
    • Install GoDaddy SSL Certificate
    • Install i386 packages under x86_64
    • Install Linux via USB flashdrive
    • Install ModSecurity2 on Apache2.0.x
    • Install Nginx on CentOS
    • Install webalizer with ispconfig
    • Install intel A/B/G/N wireless on linux
    • Kernel Upgrade
    • Mobile phone access via bluetooth
    • Optimize MySQL
    • Optimize Qmail
    • Optimize server load
    • Optimize and Tune Apache for performance
    • Optimize and Tune Nginx for performance
    • Perfect Mailserver on Debian
    • Pidgin "Now Playing" Status Message
    • PHP hardening
    • PHP hardening with Suhosin
    • PHP5 Support allong with PHP4
    • Previewing your site before making DNS changes
    • Proxy Auto Configuration
    • PXE boot install rescue
    • Setup awstats on CentOS
    • Setup EC2 Amazon L2TP IPSec VPN
    • Setup email piping with Qmail
    • Setup Exim with DKIM
    • Setup Exim smart relay with cPanel
    • Setup OpenVPN
    • Setup postfix on nonstandard port
    • Setup SS5 Socks Proxy
    • Setup vsftp with no shell access
    • Sendmail smart relay with gmail auth
    • Squid proxy NCSA authentication
    • Tcpdump filters
    • Upgrade PHP to 5.3 in Plesk 10
    • Useful regular expressions
    • X with [SiS] 771/671 VGA controller
  • Joomla Tutorials
    • Hardening Joomla
    • Module Positions
    • Remove Joomla description meta tag
  • Looking Glasses
  • Optimize Firefox
  • Security
    • Crack WiFi WEP passwords
    • Defend against UDP isc.org DNS query DDOS
    • Detect DDoS attack
    • Remove malware from web sites
    • Sniff SSL passwords with ettercap
    • Snort2BGP
    • Track Hackers
    • What Is My IP
  • Troubleshooting
    • Grub error no such disk
    • named dumping master file: tmp-XXXXXXXXXX: open: permission denied
    • Nginx 413 Request Entity Too Large
    • SSH conection closed by remote host
    • Troubleshooting sis190.c
  • Unix Tutorials
    • FreeBSD reset root password
    • Installing snort on OpenBSD
    • Unix Toolbox
  • Virtualization Tutorials
    • Convert VirtualBox image to VMWare
    • VMware SNMP Enable
  • VoIP Tutorials
    • Install Elastix
    • Qos for Asterisk

Who's Online

We have 17 guests and no members online

Most Read

  • Setup SS5 Socks Proxy
  • Install webalizer with ispconfig
  • Sniff SSL passwords with ettercap
  • __404__
  • Optimize and Tune Apache for performance

Products and Services

  • Home
  • Linux Products and Services
  • Buy VPN Account
  • Privacy Policy for Linuxexpert
  • Remove malware

Home

  • Print
  • Email
Details
Parent Category: Tutorials
Published: 28 October 2008
Hits: 13614

           In this tutorial I'll show you how to install fail2ban on CentOS.

These are just installation notes and this should not be considered a complete howto.
The fail2ban script runs as a daemon and bans an IP address after too many failed login attempts. We use it for blocking failed login attempts for SSH, ProFTP and Postfix.
Fail2ban is very effective at stopping the brute-force attacks now common to all Internet-connected hosts. We have found it reliable and functional without causing problems.
Installation on Centos 5
wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2
tar -xjvf fail2ban-0.8.1.tar.bz2
cd fail2ban-0.8.1
python setup.py install
Or you cand download the rpm for CentOS 5.x from: ftp://rpmfind.net/linux/dag/redhat/el5/en/i386/dag/RPMS/fail2ban-0.8.2-2.el5.rf.noarch.rpm and install:
rpm -ivh  fail2ban-0.8.2-2.el5.rf.noarch.rpm
vi /etc/fail2ban/jail.conf
Enable only the sections you need and do them one at a time. We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.
Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients!
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24
Installation on SME 7
NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)
(SME 7 uses /var/log/messages)
Startup
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
service fail2ban start
Tools
Show failed SSH logins by date:
cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
Search for correct log file:
grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log
This should match Postfix bans:
grep rejected /var/log/maillog
Configuration
Adjust the following sample configuration files to your needs.

# Fail2Ban jail.local configuration file
################################################
# www.starhost.ro
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# Don't know how well other backend options work.
backend = polling
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest= root@localhost, sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/secure
maxretry = 3
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/secure
maxretry = 3
[postfix]
enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/maillog
maxretry = 5
# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.starhost.ro
#
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
reject: RCPT from (.*)\[<HOST>\]: 550
reject: RCPT from (.*)\[<HOST>\]: 450
ignoreregex =
# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.starhost.ro
#
[Definition]
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actioncheck =
actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/dig -x <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionunban =
[Init]
name = default
dest = root
sender = fail2ban

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.