Fail2ban: Difference between revisions

From Q
Jump to navigation Jump to search
← Older edit
Tgurr (talk | contribs)
1,619 edits
No edit summary
Tgurr (talk | contribs)
1,619 edits
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== fail2ban installieren ===
== Installation ==
{{Box Code|Zu installierende Pakete|
<pre>
[ebuild  N    ] net-firewall/iptables-1.3.5-r4  USE="ipv6 -extensions -imq -l7filter -static" 187 kB
[ebuild  N    ] net-analyzer/fail2ban-0.6.1-r1  23 kB
</pre>
}}
 
{{Codeline|# emerge fail2ban}}


{{Codeline|# /etc/init.d/iptables save}}
{{Root|emerge fail2ban}}


{{Codeline|# rc-update add iptables default}}
{{Root|/etc/init.d/iptables save}}


{{Codeline|# rc-update add fail2ban default}}
{{Root|rc-update add iptables default}}
 
{{Box Code|Kernel .config|
<pre>
Networking
Networking options --->
[*] Network packet filtering (replaces ipchains)  --->
  Core Netfilter Configuration  --->
  <*> Netfilter Xtables support (required for ip_tables)
  IP: Netfilter Configuration  --->
  <*> IP tables support (required for filtering/masq/NAT)


  optional noch:
{{Root|rc-update add fail2ban default}}
  IPv6: Netfilter Configuration (EXPERIMENTAL)  --->
  <*> IP6 tables support (required for filtering/masq/NAT)
</pre>
}}


== syslog-ng configuration ==


{{Box File|/etc/ssh/sshd_config|
{{File|/etc/syslog-ng/syslog-ng.conf|
<pre>
<pre>
SyslogFacility AUTH
source src { system(); internal(); };
LogLevel INFO
</pre>
}}


{{Box File|/etc/syslog-ng/syslog-ng.conf|
<pre>
destination authlog { file("/var/log/auth.log"); };
destination authlog { file("/var/log/auth.log"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_authpriv { facility(auth, authpriv); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_authpriv); destination(authlog); };
</pre>
}}
{{Codeline|# touch /var/log/auth.log}}
{{Codeline|# chmod 600 /var/log/auth.log}}
{{Codeline|# /etc/init.d/syslog-ng restart}}
{{Box File|/etc/fail2ban.conf|
<pre>
maxfailures = 3
[MAIL]
enabled = true
host = mailrelay/localhost
to = logs@domain.de
[SSH]
enabled = true
logfile = /var/log/auth.log


destination messages { file("/var/log/messages"); };
</pre>
</pre>
}}
}}


{{Root|touch /var/log/auth.log}}


{{Root|chmod 600 /var/log/auth.log}}


=== fail2ban installieren ===
{{Root|/etc/init.d/syslog-ng restart}}
{{Box Code|Zu installierende Pakete|
<pre>
[ebuild  N    ] net-firewall/iptables-1.3.6-r1  USE="ipv6 -extensions -imq -l7filter -static" 181 kB
[ebuild  N    ] net-analyzer/fail2ban-0.7.2  28 kB
</pre>
}}
 
{{Codeline|# emerge fail2ban}}
 
{{Codeline|# /etc/init.d/iptables save}}


{{Codeline|# rc-update add iptables default}}
== Fail2ban configuration (0.9.x) ==


{{Codeline|# rc-update add fail2ban default}}
Be sure to also enable the required Kernel options for [[Kernel#Fail2ban_.28iptables.29|iptables]].


{{Box Code|Kernel .config|
=== Enable the sshd jails and fail2ban reporting via email ===
{{File|/etc/fail2ban/jail.local|
<pre>
<pre>
Networking
[DEFAULT]
Networking options --->
bantime = 86400
[*] Network packet filtering (replaces ipchains)  --->
maxretry = 3
  Core Netfilter Configuration  --->
destemail = yourmail@domain.local
  <*> Netfilter Xtables support (required for ip_tables)
sender = fail2ban@hostname
  IP: Netfilter Configuration  --->
action = %(action_mwl)s
  <*> IP tables support (required for filtering/masq/NAT)


  optional noch:
[sshd]
  IPv6: Netfilter Configuration (EXPERIMENTAL)  --->
enabled = true
  <*> IP6 tables support (required for filtering/masq/NAT)
</pre>
}}
 
 
{{Box Datei|/etc/ssh/sshd_config|
<pre>
SyslogFacility AUTH
LogLevel INFO
</pre>
</pre>
}}
}}


=== Optional: Disable the new sqlite feature ===


{{Box Datei|/etc/syslog-ng/syslog-ng.conf|
{{File|/etc/fail2ban/fail2ban.local|
<pre>
<pre>
destination authlog { file("/var/log/sshd.log"); };
[Definition]
filter f_authpriv { facility(auth, authpriv); };
dbfile = None
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
 
log { source(src); filter(f_authpriv); destination(authlog); };
</pre>
</pre>
}}
}}


{{Codeline|# touch /var/log/sshd.log}}
=== Optional: Set the sshd log file path (default is auth.log) ===


{{Codeline|# chmod 600 /var/log/sshd.log}}
{{File|/etc/fail2ban/paths-overrides.local|
 
{{Codeline|# /etc/init.d/syslog-ng restart}}
 
 
{{Box Datei|/etc/fail2ban/jail.conf|
<pre>
<pre>
[ssh-iptables]
[DEFAULT]
 
sshd_log = /var/log/sshd.log
enabled  = true
filter  = sshd
action  = iptables[name=SSH, port=ssh, protocol=tcp]
          mail-whois[name=SSH, dest=yourmail@mail.com]
logpath  = /var/log/sshd.log
maxretry = 3
bantime  = 600
 
</pre>
</pre>
}}
}}


{{Codeline|# /etc/init.d/fail2ban start}}


[[Kategorie:Programme]]
{{Root|/etc/init.d/fail2ban start}}

Latest revision as of 13:35, 20 May 2018

Installation

# emerge fail2ban
# /etc/init.d/iptables save
# rc-update add iptables default
# rc-update add fail2ban default

syslog-ng configuration

File: /etc/syslog-ng/syslog-ng.conf
source src { system(); internal(); };

destination authlog { file("/var/log/auth.log"); };
filter f_authpriv { facility(auth, authpriv); };
log { source(src); filter(f_authpriv); destination(authlog); };

destination messages { file("/var/log/messages"); };
# touch /var/log/auth.log
# chmod 600 /var/log/auth.log
# /etc/init.d/syslog-ng restart

Fail2ban configuration (0.9.x)

Be sure to also enable the required Kernel options for iptables.

Enable the sshd jails and fail2ban reporting via email

File: /etc/fail2ban/jail.local
[DEFAULT]
bantime = 86400
maxretry = 3
destemail = yourmail@domain.local
sender = fail2ban@hostname
action = %(action_mwl)s

[sshd]
enabled = true

Optional: Disable the new sqlite feature

File: /etc/fail2ban/fail2ban.local
[Definition]
dbfile = None

Optional: Set the sshd log file path (default is auth.log)

File: /etc/fail2ban/paths-overrides.local
[DEFAULT]
sshd_log = /var/log/sshd.log


# /etc/init.d/fail2ban start
Retrieved from "https://q-old.deltaquadrant.org/index.php?title=Fail2ban&oldid=4198"