Search My Blog

Friday, May 25, 2012

fail2ban Intrusion Prevention Framework - a good Tutorial, with some good examples on how to set up fail2ban

This is a very good Tutorial, with some good examples on how to set up fail2ban...

Don


fail2ban Intrusion Prevention Framework - Linux Magazine Online

By Chris Binnie

For its size, fail2ban, a utility that scans logfiles and bans suspicious IP addresses, punches well above its weight.

I dare say that only a few sys admins haven’t heard of fail2ban – maybe those starting out or those who have focused on different areas. In my experience, it’s quite rare that really small utilities can affect the way you run your servers to the extent that fail2ban has. It certainly explains its popularity.

fail2ban is a feather-weight set of scripts that can easily integrate with popular firewalls and, amongst many other things, catch any failed logins for services that you’re running and then ban the IP address after a certain number of failed attempts. Admittedly that sounds like quite simple functionality, but when you get down to the innards of the software, it’s a truly powerful tool.

I had been using fail2ban on SSH login failures, probably it’s most common usage, before I became increasingly annoyed with web server logs filling up with nefarious probes attempting to compromise PHP with remote exploits (and a myriad of other HTTP attacks). It got to the point at which a large proportion of the Apache logs were failed attempts to find hidden directories or non-existent Joomla installations among the legitimate hits on the websites.

I also ran a few mail servers that allowed mail relaying via SASL password authentication, which (and there are other ways of running the authentication side) had system user accounts with PAM checking for correct passwords. I had set the SASL user accounts so that a shell login couldn’t be used to access the server, but I was still more than aware than having a piece of software so readily open to abuse by brute force was far from ideal. So, fail2ban stepped forward yet again; I could simply ban any IP that entered the wrong password three times for as long as I wanted.

From the scenarios above, I hope you will agree that fail2ban can be applied in all sorts of ways. To give you a head start in this article, I’ll offer some examples, ranging from those straight out of the documentation to those that were hard won. (Those of you who speak regular expressions, or regex, as your second language would have found them easy, I’m sure, but I prefer a cogent language that doesn’t involve an aching head coupled with eye strain!)

It Must Be Magic

Read More...
http://www.linuxpromagazine.com/Online/Features/fail2ban-Intrusion-Prevention-Framework

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures
Fail2ban
HOWTOs - Fail2ban
FAQ english - Fail2ban
MANUAL_0_8
Fail2Ban - Fail2ban
fail2ban Intrusion Prevention Framework - Linux Magazine Online
Fail2ban
FAQ english - Fail2ban
Category:Configuration - Fail2ban
Category:FTP - Fail2ban
Vsftpd - Fail2ban
Fail2ban
HOWTOs - Fail2ban
FAQ english - Fail2ban
MANUAL_0_8
Fail2Ban - Fail2ban
Fail2ban
Fail2ban
Fail2ban
Category:Configuration - Fail2ban
Vsftpd - Fail2ban
HOWTOs - Fail2ban
Weekend Project: Keep Out Repeat Offenders with Fail2ban on Linux | Linux.com - fail2ban.conf: This file contains the general options for fail2ban. Most likely the default options will work just fine.
Weekend Project: Keep Out Repeat Offenders with Fail2ban on Linux | Linux.com
Fail2ban
FAQ english - Fail2ban
Category:Configuration - Fail2ban
Category:FTP - Fail2ban
Vsftpd - Fail2ban
Fail2ban
HOWTOs - Fail2ban
FAQ english - Fail2ban
MANUAL_0_8
Fail2Ban - Fail2ban
Fail2ban
Fail2ban
Fail2ban
Category:Configuration - Fail2ban
Vsftpd - Fail2ban
HOWTOs - Fail2ban
Weekend Project: Keep Out Repeat Offenders with Fail2ban on Linux | Linux.com
Weekend Project: Keep Out Repeat Offenders with Fail2ban on Linux | Linux.com
fail2ban Intrusion Prevention Framework - Linux Magazine Online

No comments: