Fail2Ban

From Kolmisoft Wiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

About

Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found here

Protected services

Kolmisoft has implemented protection for these services:

  • Asterisk - protects from brute-force registration attacks
  • Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/MorAdmin (correct end with Kolmisoft software is "moradmin") - Coming soon.
  • SSH - protects from brute-force attacks.



Installation

Fail2Ban installation

Custom modifications

Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.

If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com



Modifying existing rules

All filters are enabled/disabled in /etc/fail2ban/jail.conf


To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:

bad patterns are specified at failregex variable as following: 

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


you can add here your own.

Testing changes

You can test your new rules using fail2ban-regex tool as following: 

fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf

This tool will show you how many matches were found and what regexp's were used.


Moving changes to production

Restart fail2ban: 

service fail2ban restart



Extending Fail2Ban configuration

Extending Fail2Ban configuration

See also

Retrieved from "https://wiki.kolmisoft.com/index.php?title=Fail2Ban&oldid=23900"