Difference between revisions of "Fail2Ban"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
=Fail2Ban=
= About =
==What is a Fail2Ban?==
Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks


=How can I install Fail2Ban?=
Fail2Ban is a small program which scans log files real-time and  takes actions when hacking attempts are detected. More information about Fail2Ban can be found [http://en.wikipedia.org/wiki/Fail2ban here]
Just run the script /usr/src/mor/sh_scripts/fail2ban_install_vX.sh, where X is the script version number, to install this software.
<br><br>
==Protected services==
Kolmisoft has implemented protection for these services:


/usr/src/mor/sh_scripts/fail2ban_install_vX.sh
* Asterisk - protects from brute-force registration attacks
* Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/MorAdmin  (correct end with Kolmisoft software is "moradmin") - Coming soon.
* SSH - protects from brute-force attacks.
<br><br>


==How Fail2Ban works?==
==Installation==


Fail2Ban checks Asterisk log: /var/log/asterisk/messages and counts unsuccessful sip registration attempts. When it counts to 5 - bans the abusive user for a specified amount of time (600 seconds by default).
[[Fail2Ban installation]]
<br><br>


These settings can be adjusted in /etc/fail2ban/jail.conf:
==Custom modifications==


[asterisk-iptables]
Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.
enabled  = true
filter  = asterisk
action  = iptables-allports[name=ASTERISK, port=5060, protocol=udp]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 600


'''maxretry''' - maximum number of retries allowed
If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com


'''bantime''' - ban time is seconds
<br><br>
===Modifying existing rules===


You will also find a section [DEFAULT] in jail.conf. In this section you will find variable ignoreip here mor install script places  addresses that are ignored and will not be banned. Add here additional addresses if you find you need to do this.
All filters are enabled/disabled in /etc/fail2ban/jail.conf


[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 192.168.0.1/16 10.0.0.0/8 127.0.0.1/8 172.16.0.0/12 213.197.141.162  192.168.0.158


'''213.197.141.162 is the address of KolmiSoft support office. Please leave it here.'''
To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:
 
bad patterns are specified at failregex variable as following:
 
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 
 
you can add here your own.
<br><br>
'''Testing changes'''
 
You can test your new rules using fail2ban-regex tool as following:
 
fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf
 
This tool will show you how many matches were found and what regexp's were used.
 
 
'''Moving changes to production'''
 
Restart fail2ban:
 
service fail2ban restart
<br><br>
==Extending Fail2Ban configuration==
 
[[Extending Fail2Ban configuration]]
==See also==
 
* [[Fail2Ban_installation|Fail2Ban installation]]
* [http://www.fail2ban.org/wiki/index.php/Whitelist Whitelist IP for Fail2Ban]
* [[How_to_be_secure_using_MOR|How to be secure using MOR]]

Latest revision as of 15:16, 13 October 2018

About

Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found here

Protected services

Kolmisoft has implemented protection for these services:

  • Asterisk - protects from brute-force registration attacks
  • Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/MorAdmin (correct end with Kolmisoft software is "moradmin") - Coming soon.
  • SSH - protects from brute-force attacks.



Installation

Fail2Ban installation

Custom modifications

Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.

If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com



Modifying existing rules

All filters are enabled/disabled in /etc/fail2ban/jail.conf


To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:

bad patterns are specified at failregex variable as following:

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


you can add here your own.

Testing changes

You can test your new rules using fail2ban-regex tool as following:

fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf

This tool will show you how many matches were found and what regexp's were used.


Moving changes to production

Restart fail2ban:

service fail2ban restart



Extending Fail2Ban configuration

Extending Fail2Ban configuration

See also