Difference between revisions of "Fail2Ban"
(5 intermediate revisions by 4 users not shown) | |||
Line 7: | Line 7: | ||
* Asterisk - protects from brute-force registration attacks | * Asterisk - protects from brute-force registration attacks | ||
* Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/ | * Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/MorAdmin (correct end with Kolmisoft software is "moradmin") - Coming soon. | ||
* SSH - protects from brute-force attacks. | * SSH - protects from brute-force attacks. | ||
<br><br> | <br><br> | ||
==Installation== | ==Installation== | ||
Line 57: | Line 58: | ||
Restart fail2ban: | Restart fail2ban: | ||
service fail2ban restart | |||
<br><br> | <br><br> | ||
==Extending Fail2Ban configuration== | |||
[[Extending Fail2Ban configuration]] | |||
==See also== | |||
* [[Fail2Ban_installation|Fail2Ban installation]] | |||
* [http://www.fail2ban.org/wiki/index.php/Whitelist Whitelist IP for Fail2Ban] | |||
* [[How_to_be_secure_using_MOR|How to be secure using MOR]] |
Latest revision as of 15:16, 13 October 2018
About
Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found here
Protected services
Kolmisoft has implemented protection for these services:
- Asterisk - protects from brute-force registration attacks
- Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/MorAdmin (correct end with Kolmisoft software is "moradmin") - Coming soon.
- SSH - protects from brute-force attacks.
Installation
Custom modifications
Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.
If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com
Modifying existing rules
All filters are enabled/disabled in /etc/fail2ban/jail.conf
To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:
bad patterns are specified at failregex variable as following:
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
you can add here your own.
Testing changes
You can test your new rules using fail2ban-regex tool as following:
fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf
This tool will show you how many matches were found and what regexp's were used.
Moving changes to production
Restart fail2ban:
service fail2ban restart
Extending Fail2Ban configuration
Extending Fail2Ban configuration