Difference between revisions of "Fail2Ban"

From Kolmisoft Wiki
Jump to navigationJump to search
(Replaced content with 'Fail2Ban installation')
m
Line 1: Line 1:
= About =
Fail2Ban is a small program which scans log files real-time and  takes actions when hacking attempts are detected. More information about Fail2Ban can be found [http://en.wikipedia.org/wiki/Fail2ban here]
<br><br>
==Protected services==
Kolmisoft has implemented protection for these services:
* Asterisk - protects from brute-force registration attacks
* Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/PhpMyAdmin  (correct end with Kolmisoft software is "phpmyadmin")
* SSH - protects from brute-force attacks.
<br><br>
==Installation==
[[Fail2Ban installation]]
[[Fail2Ban installation]]
<br><br>
==Custom modifications==
Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.
If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com
<br><br>
===Modifying existing rules===
All filters are enabled/disabled in /etc/fail2ban/jail.conf
To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:
bad patterns are specified at failregex variable as following:
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
you can add here your own.
<br><br>
'''Testing changes'''
You can test your new rules using fail2ban-regex tool as following:
fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf
This tool will show you how many matches were found and what regexp's were used.
'''Moving changes to production'''
Restart fail2ban:
/etc/init.d/fail2ban restart

Revision as of 05:48, 21 October 2011

About

Fail2Ban is a small program which scans log files real-time and takes actions when hacking attempts are detected. More information about Fail2Ban can be found here

Protected services

Kolmisoft has implemented protection for these services:

  • Asterisk - protects from brute-force registration attacks
  • Apache - protects from scanning bots which try to access not existing address, for example http://YOUR_IP/PhpMyAdmin (correct end with Kolmisoft software is "phpmyadmin")
  • SSH - protects from brute-force attacks.



Installation

Fail2Ban installation

Custom modifications

Remember to save backups for your custom modifications to Fail2Ban as automated installation/update/upgrade scripts can overwrite them.

If you have suggestions how Fail2Ban rules can be extended - please write to mindaugas.mardosas@kolmisoft.com



Modifying existing rules

All filters are enabled/disabled in /etc/fail2ban/jail.conf


To extend an existing filter please go to /etc/fail2ban/filter.d and open the required file. For example we will take /etc/fail2ban/filter.d/asterisk.conf:

bad patterns are specified at failregex variable as following:

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


you can add here your own.

Testing changes

You can test your new rules using fail2ban-regex tool as following:

fail2ban-regex /path/to/your/log/file/to/scan /etc/fail2ban/filter.d/asterisk.conf

This tool will show you how many matches were found and what regexp's were used.


Moving changes to production

Restart fail2ban:

/etc/init.d/fail2ban restart