start:howto:fail2ban
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
start:howto:fail2ban [2015/09/28 15:33] mrpink [jail.local] |
start:howto:fail2ban [2016/09/17 15:12] (current) flames [jail.local] |
||
|---|---|---|---|
| Line 10: | Line 10: | ||
| First we need to install fail2ban via aptitude | First we need to install fail2ban via aptitude | ||
| - | <konsole root> | + | |
| - | # aptitude update | + | # aptitude update && aptitude install fail2ban |
| - | # aptitude install fail2ban | + | |
| - | </konsole> | + | |
| ===== Configuration ===== | ===== Configuration ===== | ||
| Line 184: | Line 182: | ||
| filter = proftpd | filter = proftpd | ||
| logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
| + | maxretry = 6 | ||
| + | |||
| + | |||
| + | [vsftpd] | ||
| + | |||
| + | enabled = true | ||
| + | port = ftp,ftp-data,ftps,ftps-data | ||
| + | filter = vsftpd-fixed | ||
| + | logpath = /var/log/vsftpd.log | ||
| maxretry = 6 | maxretry = 6 | ||
| Line 224: | Line 231: | ||
| logpath = /var/log/nginx/*access.log | logpath = /var/log/nginx/*access.log | ||
| maxretry = 6 | maxretry = 6 | ||
| + | |||
| + | </code> | ||
| + | |||
| + | ==== nginx-http-auth.conf ==== | ||
| + | |||
| + | Please check if the file **/etc/fail2ban/filter.d/nginx-http-auth.conf** is available. | ||
| + | If not, please create the file with the following content: | ||
| + | |||
| + | <code> | ||
| + | # fail2ban filter configuration for nginx | ||
| + | |||
| + | |||
| + | [Definition] | ||
| + | |||
| + | |||
| + | failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ | ||
| + | |||
| + | ignoreregex = | ||
| + | |||
| + | # DEV NOTES: | ||
| + | # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files | ||
| + | # Extensive search of all nginx auth failures not done yet. | ||
| + | # | ||
| + | # Author: Daniel Black | ||
| </code> | </code> | ||
| Line 255: | Line 286: | ||
| ---- | ---- | ||
| - | |||
| - | Now restart fail2ban and test if all is working: | ||
| - | |||
| - | <konsole root> | ||
| - | # service fail2ban restart | ||
| - | </konsole> | ||
| - | |||
| ==== rainloop.conf ==== | ==== rainloop.conf ==== | ||
| Line 291: | Line 315: | ||
| ---- | ---- | ||
| - | Now restart fail2ban and test if all is working: | + | Restart fail2ban and test if all is working: |
| - | <konsole root> | ||
| # service fail2ban restart | # service fail2ban restart | ||
| - | </konsole> | + | |
| + | |||
| + | ===== vsftpd ===== | ||
| + | |||
| + | Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file: | ||
| + | |||
| + | <code> | ||
| + | # Fail2Ban filter for vsftp | ||
| + | # | ||
| + | # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch | ||
| + | # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the | ||
| + | # incoming ip address rather than domain names. | ||
| + | |||
| + | [INCLUDES] | ||
| + | |||
| + | before = common.conf | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? | ||
| + | _daemon = vsftpd | ||
| + | |||
| + | failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ | ||
| + | ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$ | ||
| + | |||
| + | ignoreregex = | ||
| + | |||
| + | # Version from fail2ban wiki does't work, fixed version | ||
| + | </code> | ||
| + | |||
| + | ---- | ||
| + | |||
| + | Restart fail2ban and test if all is working: | ||
| + | |||
| + | |||
| + | # service fail2ban restart | ||
| ===== Test & Debug ===== | ===== Test & Debug ===== | ||
| Line 301: | Line 361: | ||
| To test your current config use fail2ban-regex. Here an example for dovecot: | To test your current config use fail2ban-regex. Here an example for dovecot: | ||
| - | <konsole root> | ||
| # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | ||
| - | </konsole> | ||
| ===== Links ===== | ===== Links ===== | ||
| Fail2ban offical website --> [[http://www.fail2ban.org]] | Fail2ban offical website --> [[http://www.fail2ban.org]] | ||
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/start/howto/fail2ban.1443454422.txt.gz · Last modified: 2015/09/28 15:33 by mrpink
