Fail2ban tutorial: Scan log files and ban IPs

Posted: 14/02/2012 in Fail2ban

I use fail2ban on my servers to ban IP addresses that show malicious signs for a specified amount of time.
Here is my setup on Debian squeeze:

apt-get install fail2ban

pico /etc/fail2ban/jail.conf
bantime = 7200 <——- 2 hours ban time

To make fail2ban monitor PureFTPd, SASL, SSH, ROUNDCUBE, IMAP and Courier i create the file /etc/fail2ban/jail.local:

pico /etc/fail2ban/jail.local

[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 1

[sasl]
enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 1

[courierpop3]
enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 1

[courierpop3s]
enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 1

[courierimap]
enabled = true
port = imap2
filter = courierimap
logpath = /var/log/mail.log
maxretry = 1

[courierimaps]
enabled = true
port = imaps
filter = courierimaps
logpath = /var/log/mail.log
maxretry = 1

[ssh]
enabled = true
port = 59292
filter = sshd
logpath = /var/log/auth.log
maxretry = 1

[roundcube]
enabled = true
port = http,59393
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 2

Then i create the following filter files:

pico /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@\) \[WARNING\] Authentication failed for user.*
ignoreregex =

pico /etc/fail2ban/filter.d/courierpop3.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = pop3d: LOGIN FAILED.*ip=\[.*:\]

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

pico /etc/fail2ban/filter.d/courierpop3s.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

pico /etc/fail2ban/filter.d/courierimap.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = imapd: LOGIN FAILED.*ip=\[.*:\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

pico /etc/fail2ban/filter.d/courierimaps.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

pico /etc/fail2ban/filter.d/roundcube.conf

[Definition]
failregex = FAILED login for .*. from
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

If someone adds a lot of jails in fail2ban, then some of them may not start (errors in /var/log/fail2ban.log. See it by yourself by executing:

iptables -L -n

Unfortunately the solution is a bit of a hack… but at least it is a solution:

In the file /usr/bin/fail2ban-client at line 145 you have to insert time.sleep(0.1) :

vim /usr/bin/fail2ban-client

So before the change the file looks like this:

[...]
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
beautifier.setInputCmd(c)
try:
[...]

And afterward the file looks like this:

[...]
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.01)
beautifier.setInputCmd(c)
try:
[...]

Restart again fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n

Also there are some problems with banning sasl dos attacks
Please try this…

pico /etc/fail2ban/filter.d/sasl.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ <-- default value
#failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?: authentication failure$
failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?
#failregex = (?i): warning: [-._\w]+\[\]: SASL LOGIN authentication failed: authentication failure(: [A-Za-z0-9+/]*={0,2})?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

It works very well!!! 😉

Advertisements
Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s