Fail2ban

Available NS6 and NS7

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Stephane de Labrusse at stephdl@de-labrusse.fr

Is this Module helpful to you ? Please consider donating

Install my repository, see how to do it

Then Install my rpm

yum install nethserver-fail2ban --enablerepo=stephdl

With the version nethserver-fail2ban-0.0.3-1 a Web User Interface is available for managing fail2ban

  • The jails are enabled by default when the service is detected on the system which needs to be protected. The value for a jail is false or true.
  • By default the failed attempts from your Local Network are ignored by fail2ban, except if you set the property BanLocalNetwork to enabled
  • You can set specific IPs to be ignored by fail2ban: IgnoreIP IP1,IP2,IP3
  • All administrative emails are sent to the admin user (install nethserver-mail-server or sent them to another recipient: CustomDestemail mail1,mail2,mail3)

When you install a new module, the relevant jail is automatically activated by the event 'runlevel-adjust' which is launched at the end of the yum process. But you can also activate changes and restart the fail2ban service by

signal-event nethserver-fail2ban-save
# config show fail2ban 
fail2ban=service
   ApacheAuth_status=true
   ApacheBadbots_status=true
   ApacheBotsearch_status=false
   ApacheFakegooglebot_status=true
   ApacheModsecurity_status=true
   ApacheNohome_status=true
   ApacheNoscript_status=true
   ApacheOverflows_status=true
   ApacheScan_status=true
   ApacheShellshock_status=true
   BanAction=shorewall           #can be iptables-multiport, iptables-allports
   BanLocalNetwork=disabled      #you can ban IP on your local network if enabled
   BanTime=600                   #the ban time in seconds
   CustomDestemail=              #add custom emails for recipients (default is admin): email1,email2,email3
   Dovecot_status=true
   FindTime=600                  #Find time in seconds
   IgnoreIP=                     #Don't ban these IPs : IP1,IP2,IP3
   LogLevel=INFO                 #Log level, can be CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG (you need to disable the recidive jail for an infinitive loop risk)
   Mail=enabled                  #Send administrative emails
   MaxRetry=3                    #ban after 3 failed attemps
   MysqldAuth_status=true
   NginxBotSearch_status=true
   NginxHttpAuth_status=true
   PamGeneric_status=true
   PostfixRbl_status=true
   Postfix_status=true
   Recidive_status=true
   Roundcube_status=true
   Sieve_status=true
   SogoAuth_status=true
   SshdDdos_status=true
   Sshd_status=true
   Vsftpd_status=true
   status=enabled
  • For example
config setprop fail2ban BanTime 1800 FindTime 900 BanLocalNetwork enabled
signal-event nethserver-fail2ban-save

Jails

For a complete list of the available jails, do 'config show fail2ban' and look after the '*_status' properties. Obviously the services must be installed by their nethserver relevant packages before you can use it. If you have some ideas of jail that can be enhanced (for example Nginx), please share your jail.local and filter.d/files.conf

Custom MaxRetry

You can set custom values for the MaxRetry property of each jail, once removed you go back to the default MaxRetry value

To retrieve the db property name

[root@ns7dev8 ~]# config show fail2ban |grep -i maxretry
    Apache_MaxRetry=
    Dovecot_MaxRetry=
    Ejabber_MaxRetry=
    HttpdAdmin_MaxRetry=
    MaxRetry=3
    Mysqld_MaxRetry=
    Nextcloud_MaxRetry=
    Nginx_MaxRetry=
    OpenVpnAuth_MaxRetry=
    OpenVpn_MaxRetry=
    Owncloud_MaxRetry=
    PamGeneric_MaxRetry=
    Postfix_MaxRetry=
    Recidive_MaxRetry=
    Roundcube_MaxRetry=
    Sieve_MaxRetry=
    Sogo_MaxRetry=
    Sshd_MaxRetry=
    Urbackup_MaxRetry=
    Vsftpd_MaxRetry=

only available by a db command, to set it

config setprop fail2ban Urbackup_MaxRetry 18
signal-event nethserver-fail2ban-save

if you delete the property you go back to the default MaxRetry value

config setprop fail2ban Urbackup_MaxRetry ''
signal-event nethserver-fail2ban-save

fail2ban-client

fail2ban-client is a part of the fail2ban rpm, it gives the state of fail2ban and all available jails, or one particular jail if asked

fail2ban-client status

or for the jail sshd (use first 'fail2ban-client status' for retrieving all jail's name)

fail2ban-client status sshd

To see which logfiles are monitored for a jail:

fail2ban-client get nginx-http-auth logpath

fail2ban-listban

Fail2ban-listban counts the IPs currently and totally banned in all activated jails, at the end it shows you the IPs which are banned by shorewall.

fail2ban-listban

fail2ban-regex

fail2ban-regex is a tool which is used to test the regex on you logs, it is a part of fail2ban software. The documentation is there

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf --print-all-matched

You can also test custom regex

fail2ban-regex /var/log/secure '^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$'

or

fail2ban-regex '192.168.12.25 - - [11/Feb/2017:06:15:19 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200' '<HOST>.-.-.\[.*\] "POST /phpmyadmin/index.php HTTP/1.1" 200'

fail2ban-unban

Fail2ban-unban is a shortcut which launch 'shorewall allow <IP>' and allow the relevant IP when the ban must be removed.

fail2ban-unban <IP>

You can use also the built-in command with fail2ban-client

fail2ban-client set <JAIL> unbanip <IP_2_UNBAN>

Install whois so that fail2ban can query the ip whois database and give you the origin of the banned IP.

yum --enablerepo=epel install jwhois

Bugs

Please raise Issues on github

dependencies from epel

perl-Email-Valid-0.184-1.el6.noarch.rpm
python-inotify-0.9.1-1.el6.noarch.rpm
fail2ban-0.9.3-1.el6.1.noarch.rpm