Fail2ban restricts IP addresses of hosts that are trying to breach your system's security. Whenever an abusive IP is detected it can restrict that IP access to your system for a specific period of time. This time is configurable by the administrator of the system.
Download the latest version of fail2ban
[root@glt ~]# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.8.10
Extract the files from the tar and run the "setup.py" script.
[root@glt ~]# tar -xf 0.8.10
[root@glt ~]# cd fail2ban-0.8.10
[root@glt fail2ban-0.8.10]# python setup.py install
Configure fail2ban
[root@glt fail2ban-0.8.10]# vi /etc/fail2ban/jail.conf
White-list your IP address by adding it to the ignoreip line.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
Configuring ssh-iptables section for Fail2Ban, remove false and type true. Also configure the email address that you would like to receive the alerts.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@localhost]
logpath = /var/log/sshd.log
maxretry = 5
To ensure that fail2ban starts at startup.
[root@glt fail2ban-0.8.10]# cp ./files/redhat-initd /etc/init.d/fail2ban
[root@glt fail2ban-0.8.10]# chkconfig --add fail2ban
[root@glt fail2ban-0.8.10]# chkconfig fail2ban on
Start fail2ban.
[root@glt fail2ban-0.8.10]# service fail2ban start
Starting fail2ban: [ OK ]
Following list IP that was blocked by fail2ban
[root@glt ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- 61.147.116.109 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
[root@glt ~]#
No comments:
Post a Comment