Difference between revisions of "Fail2Ban"
(Replaced content with 'Fail2Ban installation') |
m |
||
| Line 1: | Line 1: | ||
= About = | |||
Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found [http://en.wikipedia.org/wiki/Fail2ban here] | |||
<br><br> | |||
==Protected services== | |||
Kolmisoft has implemented protection for these services: | |||
* Asterisk - protects from brute-force registration attacks | |||
* Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/PhpMyAdmin (correct end with Kolmisoft software is "phpmyadmin") | |||
* SSH - protects from brute-force attacks. | |||
<br><br> | |||
==Installation== | |||
[[Fail2Ban installation]] | [[Fail2Ban installation]] | ||
<br><br> | |||
==Custom modifications== | |||
Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them. | |||
If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com | |||
<br><br> | |||
===Modifying existing rules=== | |||
All filters are enabled/disabled in /etc/fail2ban/jail.conf | |||
To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf: | |||
bad patterns are specified at failregex variable as following: | |||
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password | |||
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register | |||
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found | |||
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch | |||
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL | |||
NOTICE.* <HOST> failed to authenticate as '.*'$ | |||
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) | |||
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) | |||
NOTICE.* .*: Failed to authenticate user .*@<HOST>.* | |||
you can add here your own. | |||
<br><br> | |||
'''Testing changes''' | |||
You can test your new rules using fail2ban-regex tool as following: | |||
fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf | |||
This tool will show you how many matches were found and what regexp's were used. | |||
'''Moving changes to production''' | |||
Restart fail2ban: | |||
/etc/init.d/fail2ban restart | |||
Revision as of 05:48, 21 October 2011
About
Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found here
Protected services
Kolmisoft has implemented protection for these services:
- Asterisk - protects from brute-force registration attacks
- Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/PhpMyAdmin (correct end with Kolmisoft software is "phpmyadmin")
- SSH - protects from brute-force attacks.
Installation
Custom modifications
Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.
If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com
Modifying existing rules
All filters are enabled/disabled in /etc/fail2ban/jail.conf
To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:
bad patterns are specified at failregex variable as following:
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
you can add here your own.
Testing changes
You can test your new rules using fail2ban-regex tool as following:
fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf
This tool will show you how many matches were found and what regexp's were used.
Moving changes to production
Restart fail2ban:
/etc/init.d/fail2ban restart
