This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
start:howto:fail2ban [2015/06/15 14:19] ninos [jail.local] |
start:howto:fail2ban [2016/09/17 15:12] (current) flames [jail.local] |
||
---|---|---|---|
Line 10: | Line 10: | ||
First we need to install fail2ban via aptitude | First we need to install fail2ban via aptitude | ||
- | <konsole root> | + | |
- | # aptitude update | + | # aptitude update && aptitude install fail2ban |
- | # aptitude install fail2ban | + | |
- | </konsole> | + | |
===== Configuration ===== | ===== Configuration ===== | ||
Line 168: | Line 166: | ||
enabled = true | enabled = true | ||
- | port = http,https | + | port = 8080,4443 |
- | filter = nginx-auth | + | filter = nginx-http-auth |
logpath = /var/log/nginx/*error.log | logpath = /var/log/nginx/*error.log | ||
maxretry = 6 | maxretry = 6 | ||
- | |||
- | # default action is now multiport, so apache-multiport jail was left | ||
- | # for compatibility with previous (<0.7.6-2) releases | ||
- | [imscp-multiport] | ||
- | |||
- | enabled = true | ||
- | port = http,https | ||
- | filter = nginx-auth | ||
- | logpath = /var/log/nginx/*error.log | ||
- | maxretry = 6 | ||
- | |||
- | [imscp-noscript] | ||
- | |||
- | enabled = true | ||
- | port = http,https | ||
- | filter = nginx-noscript | ||
- | logpath = /var/log/nginx/*error.log | ||
- | maxretry = 6 | ||
- | |||
- | [imscp-overflows] | ||
- | |||
- | enabled = true | ||
- | port = http,https | ||
- | filter = nginx-overflows | ||
- | logpath = /var/log/nginx/*error.log | ||
- | maxretry = 2 | ||
Line 210: | Line 182: | ||
filter = proftpd | filter = proftpd | ||
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
+ | maxretry = 6 | ||
+ | |||
+ | |||
+ | [vsftpd] | ||
+ | |||
+ | enabled = true | ||
+ | port = ftp,ftp-data,ftps,ftps-data | ||
+ | filter = vsftpd-fixed | ||
+ | logpath = /var/log/vsftpd.log | ||
maxretry = 6 | maxretry = 6 | ||
Line 224: | Line 205: | ||
enabled = true | enabled = true | ||
- | port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s | + | port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s |
filter = dovecot | filter = dovecot | ||
logpath = /var/log/mail.log | logpath = /var/log/mail.log | ||
Line 239: | Line 220: | ||
[roundcube] | [roundcube] | ||
enabled = true | enabled = true | ||
- | port = http,https | + | port = 8080,4443 |
filter = roundcube | filter = roundcube | ||
logpath = /var/www/imscp/gui/public/tools/webmail/logs/errors | logpath = /var/www/imscp/gui/public/tools/webmail/logs/errors | ||
Line 246: | Line 227: | ||
[rainloop] | [rainloop] | ||
enabled = true | enabled = true | ||
- | port = http,https | + | port = 8080,4443 |
filter = rainloop | filter = rainloop | ||
logpath = /var/log/nginx/*access.log | logpath = /var/log/nginx/*access.log | ||
maxretry = 6 | maxretry = 6 | ||
+ | |||
+ | </code> | ||
+ | |||
+ | ==== nginx-http-auth.conf ==== | ||
+ | |||
+ | Please check if the file **/etc/fail2ban/filter.d/nginx-http-auth.conf** is available. | ||
+ | If not, please create the file with the following content: | ||
+ | |||
+ | <code> | ||
+ | # fail2ban filter configuration for nginx | ||
+ | |||
+ | |||
+ | [Definition] | ||
+ | |||
+ | |||
+ | failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | # DEV NOTES: | ||
+ | # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files | ||
+ | # Extensive search of all nginx auth failures not done yet. | ||
+ | # | ||
+ | # Author: Daniel Black | ||
</code> | </code> | ||
Line 281: | Line 286: | ||
---- | ---- | ||
- | |||
- | Now restart fail2ban and test if all is working: | ||
- | |||
- | <konsole root> | ||
- | # service fail2ban restart | ||
- | </konsole> | ||
- | |||
==== rainloop.conf ==== | ==== rainloop.conf ==== | ||
Line 317: | Line 315: | ||
---- | ---- | ||
- | Now restart fail2ban and test if all is working: | + | Restart fail2ban and test if all is working: |
- | <konsole root> | ||
# service fail2ban restart | # service fail2ban restart | ||
- | </konsole> | + | |
+ | |||
+ | ===== vsftpd ===== | ||
+ | |||
+ | Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file: | ||
+ | |||
+ | <code> | ||
+ | # Fail2Ban filter for vsftp | ||
+ | # | ||
+ | # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch | ||
+ | # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the | ||
+ | # incoming ip address rather than domain names. | ||
+ | |||
+ | [INCLUDES] | ||
+ | |||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? | ||
+ | _daemon = vsftpd | ||
+ | |||
+ | failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ | ||
+ | ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$ | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | # Version from fail2ban wiki does't work, fixed version | ||
+ | </code> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Restart fail2ban and test if all is working: | ||
+ | |||
+ | |||
+ | # service fail2ban restart | ||
===== Test & Debug ===== | ===== Test & Debug ===== | ||
Line 327: | Line 361: | ||
To test your current config use fail2ban-regex. Here an example for dovecot: | To test your current config use fail2ban-regex. Here an example for dovecot: | ||
- | <konsole root> | ||
# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | ||
- | </konsole> | ||
===== Links ===== | ===== Links ===== | ||
Fail2ban offical website --> [[http://www.fail2ban.org]] | Fail2ban offical website --> [[http://www.fail2ban.org]] |