Настройка fail2ban для защиты ssh,proftpd,exim,postfix,dovecot на Centos.

Ноябрь 6th, 2013

Evgeniy Kamenev

Установка fail2ban

# yum install fail2ban

1	# yum install fail2ban

1.Настройка конфигурационного файла fail2ban

# grep -v -E '(\#|^$)' /etc/fail2ban/fail2ban.conf

1	# grep -v -E '(\#\|^$)' /etc/fail2ban/fail2ban.conf

[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400

[Definition]

loglevel = INFO

logtarget = /var/log/fail2ban.log

syslogsocket = auto

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

dbpurgeage = 86400

2.Настройка Fail2ban для мониторинга логов

# grep -v -E '(\#|^$)' /etc/fail2ban/jail.conf

1	# grep -v -E '(\#\|^$)' /etc/fail2ban/jail.conf

[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 159.224.XXX.YYY
ignorecommand =
bantime  = 86400
findtime  = 7200
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = myuser@mydomain.com
sender = root@mydomain.com
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
action = %(action_)s

### SSH
[sshd - iptables]
port = 2200
logpath  = /var/log/secure
maxretry = 3
enabled  = true
filter   = sshd
action = %(action_mwl)s
bantime  = 86400
findtime  = 3600
maxretry = 3

### ProFTPD
[proftpd-iptables]
port     = ftp,ftp-data,ftps,ftps-data
enabled  = true
filter   = proftpd
action = %(action_mwl)s
#action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
#          sendmail-whois[name=ProFTPD, dest=myname@mydomain.com, sender=root@mydomain.com]
logpath  = /var/log/proftpd/proftpd.log
bantime  = 86400
findtime  = 3600
maxretry = 3

###  Exim
[exim-iptables]
port   = smtp,465,submission
enabled  = true
filter   = exim
action = %(action_mwl)s
# action   =  iptables-multiport[name=Exim, port="smtp,smtps,submission", protocol=tcp]
#           sendmail-whois[name=Exim, dest= myname@mydomain.com, sender=root@mydomain.com]
logpath  = /var/log/exim/mainlog
bantime  = 86400
#bantime  = -1 # блокировка навсегда
findtime  = 3600
maxretry = 3

### Dovecot
[dovecot-iptables]
port   = pop3,pop3s,imap,imaps
enabled  = true
filter   = dovecot
action = %(action_mwl)s
# Необходимо указать файл,в котором логируются попытки аутентификации для Dovecot
logpath  = /var/log/secure
#logpath  = /var/log/maillog
#logpath  = /var/log/dovecot.log
bantime  = 86400
findtime  = 3600
maxretry = 3

### Postfix
[postfix-sasl]
enabled = true
port     = smtp,465,submission
logpath  = /var/log/maillog
filter   = postfix-sasl
action = %(action_mwl)s
#action   = iptables[name=postfix-sasl, port=smtp,smtps,submission protocol=tcp]
#           sendmail-whois[name=postfix-sasl, dest=myname@mydomain.com, sender=root@mydomain.com]
bantime  = 604800
findtime  = 3600
maxretry = 3

[postfix-iptables]
enabled = true
port     = smtp,465,submission
logpath = /var/log/maillog
filter = postfix
action = %(action_mwl)s
#action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]
#        sendmail[name=Postfix-smtp, dest=myname@mydomain.com, sender=root@mydomain.com]
logpath = /var/log/maillog
bantime = 604800
maxretry = 3
findtime = 3600

100

101

102

103

104

105

106

107

108

109

[INCLUDES]

before = paths-fedora.conf

[DEFAULT]

ignoreip = 127.0.0.1/8 159.224.XXX.YYY

ignorecommand =

bantime = 86400

findtime = 7200

maxretry = 5

backend = auto

usedns = warn

logencoding = auto

enabled = false

filter = %(__name__)s

destemail = myuser@mydomain.com

sender = root@mydomain.com

mta = sendmail

protocol = tcp

chain = INPUT

port = 0:65535

banaction = iptables-multiport

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]

action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]

action = %(action_)s

### SSH

[sshd - iptables]

port = 2200

logpath = /var/log/secure

maxretry = 3

enabled = true

filter = sshd

action = %(action_mwl)s

bantime = 86400

findtime = 3600

maxretry = 3

### ProFTPD

[proftpd-iptables]

port = ftp,ftp-data,ftps,ftps-data

enabled = true

filter = proftpd

action = %(action_mwl)s

#action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

# sendmail-whois[name=ProFTPD, dest=myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/proftpd/proftpd.log

bantime = 86400

findtime = 3600

maxretry = 3

### Exim

[exim-iptables]

port = smtp,465,submission

enabled = true

filter = exim

action = %(action_mwl)s

# action = iptables-multiport[name=Exim, port="smtp,smtps,submission", protocol=tcp]

# sendmail-whois[name=Exim, dest= myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/exim/mainlog

bantime = 86400

#bantime = -1 # блокировка навсегда

findtime = 3600

maxretry = 3

### Dovecot

[dovecot-iptables]

port = pop3,pop3s,imap,imaps

enabled = true

filter = dovecot

action = %(action_mwl)s

# Необходимо указать файл,в котором логируются попытки аутентификации для Dovecot

logpath = /var/log/secure

#logpath = /var/log/maillog

#logpath = /var/log/dovecot.log

bantime = 86400

findtime = 3600

maxretry = 3

### Postfix

[postfix-sasl]

enabled = true

port = smtp,465,submission

logpath = /var/log/maillog

filter = postfix-sasl

action = %(action_mwl)s

#action = iptables[name=postfix-sasl, port=smtp,smtps,submission protocol=tcp]

# sendmail-whois[name=postfix-sasl, dest=myname@mydomain.com, sender=root@mydomain.com]

bantime = 604800

findtime = 3600

maxretry = 3

[postfix-iptables]

enabled = true

port = smtp,465,submission

logpath = /var/log/maillog

filter = postfix

action = %(action_mwl)s

#action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]

# sendmail[name=Postfix-smtp, dest=myname@mydomain.com, sender=root@mydomain.com]

logpath = /var/log/maillog

bantime = 604800

maxretry = 3

findtime = 3600

3.Настройка Fail2ban фильтров для мониторинга логов
Будем использовать все штатные фильтры, которые поставляются в комплекте с fail2ban

SSH

# nano /etc/fail2ban/filter.d/sshd.conf

1	# nano /etc/fail2ban/filter.d/sshd.conf

[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
ignoreregex =

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$

^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$

^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ $serial \d+$ CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$

^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$

^%(__prefix_line)srefused connect from \S+ $<HOST>$\s*$

^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$

^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$

^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$

^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$

^%(__prefix_line)spam_unix$sshd:auth$:\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$

ignoreregex =

ProFTPD

# nano /etc/fail2ban/filter.d/proftpd.conf

1	# nano /etc/fail2ban/filter.d/proftpd.conf

[Definition]
_daemon = proftpd
__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit ($

failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
ignoreregex =

[Definition]

_daemon = proftpd

failregex = ^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ USER .* $Login failed$: %(__suffix_failed_login)s\s*$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ SECURITY VIOLATION: .* login attempted\. *$

^%(__prefix_line)s%(__hostname)s $\S+\[<HOST>\]$[: -]+ Maximum login attempts $\d+$ exceeded *$

ignoreregex =

Exim

# nano /etc/fail2ban/filter.d/exim.conf

1	# nano /etc/fail2ban/filter.d/exim.conf

[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
ignoreregex =

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$

^%(pid)s \w+ authenticator failed for (\S+ )?$\S+$ \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( $set_id=.*$|: \d+ Time\(s$

^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$

^%(pid)s SMTP protocol synchronization error $[^)]*$: rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$

^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands $last was "\S+"$\s*$

ignoreregex =

Dovecot

# nano /etc/fail2ban/filter.d/dovecot.conf

1	# nano /etc/fail2ban/filter.d/dovecot.conf

 [Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disab$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying aut$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
ignoreregex =

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(%(__pam_auth)s($dovecot:auth$)?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\$

^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disab$

^%(__prefix_line)s(Info|dovecot: auth$default$|auth-worker$\d+$): pam$\S+,<HOST>$: pam_authenticate failed: (User not known to the underlying aut$

^%(__prefix_line)s(auth|auth-worker$\d+$): (pam|passwd-file)$\S+,<HOST>$: unknown user\s*$

ignoreregex =

Postfix

# nano /etc/fail2ban/filter.d/postfix-sasl.conf

1	# nano /etc/fail2ban/filter.d/postfix-sasl.conf

[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex =

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex =

# nano /etc/fail2ban/filter.d/postfix.conf

1	# nano /etc/fail2ban/filter.d/postfix.conf

[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
ignoreregex =

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$

^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$

^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

ignoreregex =

4.Проверка работы фильтра

# fail2ban-regex --print-all-match /var/log/secure   /etc/fail2ban/filter.d/sshd.conf

1	# fail2ban-regex --print-all-match /var/log/secure /etc/fail2ban/filter.d/sshd.conf

# fail2ban-regex --print-all-match /var/log/proftpd/proftpd.log   /etc/fail2ban/filter.d/proftpd.conf

1	# fail2ban-regex --print-all-match /var/log/proftpd/proftpd.log /etc/fail2ban/filter.d/proftpd.conf

# fail2ban-regex --print-all-match /var/log/exim/mainlog   /etc/fail2ban/filter.d/exim.conf

1	# fail2ban-regex --print-all-match /var/log/exim/mainlog /etc/fail2ban/filter.d/exim.conf

# fail2ban-regex --print-all-match /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

1	# fail2ban-regex --print-all-match /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

# fail2ban-regex --print-all-match /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

1	# fail2ban-regex --print-all-match /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

5.Запуск,проверка запуска, добавление в автозагрузку

# /etc/init.d/fail2ban start

1	# /etc/init.d/fail2ban start

# ps ax | grep [f]ail2ban

1	# ps ax \| grep [f]ail2ban

# chkconfig --level 2345 fail2ban on

1	# chkconfig --level 2345 fail2ban on

Просмотр лога

# tail -f /var/log/fail2ban.log

1	# tail -f /var/log/fail2ban.log

6.Просмотр существующих Jail

# fail2ban-client status

1	# fail2ban-client status

7.Детальный просмотр конкретного Jail, например proftpd-iptables

# fail2ban-client status proftpd-iptables

1	# fail2ban-client status proftpd-iptables

8.Разблокировка требуемого IP-адреса в указанном Jail,например в proftpd-iptables

# fail2ban-client set proftpd-iptables unbanip <IP-address>

1	# fail2ban-client set proftpd-iptables unbanip <IP-address>

Проверка отсутствия адреса в iptables

# iptables -S | grep <IP-address>

1	# iptables -S \| grep <IP-address>

9. Блокировка требуемого IP-адреса в указанном Jail

# fail2ban-client set proftpd-iptables banip <IP-address>

1	# fail2ban-client set proftpd-iptables banip <IP-address>

Проверка наличия адреса в iptables

# iptables -S | grep <IP-address>

1	# iptables -S \| grep <IP-address>

10.Настройка ротации файла /var/log/fail2ban.log

# nano /etc/logrotate.d/fail2ban

1	# nano /etc/logrotate.d/fail2ban

/var/log/fail2ban.log {
    rotate 7
    daily
    dateext
    missingok
    notifempty
    compress
    postrotate
      /usr/bin/fail2ban-client flushlogs  1>/dev/null || true
    endscript
}

/var/log/fail2ban.log {

rotate 7

daily

dateext

missingok

notifempty

compress

postrotate

/usr/bin/fail2ban-client flushlogs 1>/dev/null || true

endscript

}

Опубликовано в рубрике Centos, Security

Метки: dovecot, Exim, fail2ban, postfix, Proftpd, security, ssh

Комментирование и размещение ссылок запрещено.

Комментарии закрыты.

Настройка fail2ban для защиты ssh,proftpd,exim,postfix,dovecot на Centos.

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель