Centos7
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------
18 Install fail2ban
This is optional but recommended, because the ISPConfig monitor tries to show the log.
yum -y install iptables-services fail2ban fail2ban-systemd
systemctl stop firewalld.service
systemctl mask firewalld.service
systemctl disable firewalld.service
systemctl stop firewalld.service
Next we create the /etc/fail2ban/jail.local file and enable monitoring for ssh, email and ftp service.
nano /etc/fail2ban/jail.local
Add the following content into the jail.local file:
[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]
[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 3
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 3
Then create the system startup links for fail2ban and start it:
systemctl enable fail2ban.service
systemctl start fail2ban.service
systemctl restart fail2ban.service
systemctl restart fail2ban
yum remove fail2ban\*
----------------------------------------------------------------XXX_______________________________________-----------------------
-------------
first we need to enable several triggers in fail2ban
modifiy needed lines to sections look like these
vim /etc/fail2ban/jail.conf
...
[roundcube-auth]
enabled = true
port = http,https
logpath = /var/log/roundcubemail/errors
....
[postfix]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
....
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
...
[sieve]
enabled = true
port = smtp,465,submission
logpath = %(dovecot_log)s
.........................................................................
now we need to enable fail2ban service
systemctl enable fail2ban.service
and start service
systemctl start fail2ban.service
systemctl stop fail2ban.service
systemctl disable fail2ban.service
----------------ll
# vi /etc/fail2ban/jail.local
-----------------------------------
[DEFAULT]
ignoreip = 127.0.0.1 82.192.71.9 95.211.46.207 # [Whitelist IP] ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24
bantime = 3600 # "bantime" is the number of seconds that a host is banned.
findtime = 600 # A host is banned if it has generated "maxretry" during the last "findtime"
banaction = iptables-multiport
backend = systemd
maxretry = 5
destemail = accesstel@worldcm.net # set mail receiver
sender = fail2ban@worldcm.net # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
action = %(action_mwl)s
use_dns = no
we create the # vi /etc/fail2ban/jail.local
#######Add the following content into the jail.local file:
# JAILS
[ssh]
enabled = true
maxretry = 3
[pam-generic]
enabled = true
banaction = iptables-allports
[ssh-ddos]
enabled = true
[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 3
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
logpath = /var/log/maillog
[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 5
logpath = /var/log/maillog
[webmin]
enabled = true
port = 10000,20000
filter = webmin-auth
banaction = iptables-multiport
action = %(action_mwl)s
logpath = /var/log/auth.log
maxretry = 3
[apache]
enabled = true
[apache-myadmin]
enabled = true
port = http,https
filter = apache-myadmin
banaction = iptables-allports
action = %(action_mwl)s
logpath = /var/log/apache*/*error.log
maxretry = 2
#### must be install squirrel_logger plugin in squirrel mail
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 5
------------ ---------- ------------- ------------- ------------
If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command.
Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.
# fail2ban-client set JAIL addignoreip 123.45.67.89
systemctl restart fail2ban
fail2ban-client status
------------
# tail -n 5 /var/log/fail2ban.log
list all currently blocked ips:
# fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"
see all the previously banned IPs through /var/log/fail2ban.log
# zgrep 'Ban' /var/log/fail2ban.log*
Generating Simple Reports
Grouping by IP address:
# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
Monitor Fail2ban Logs and Firewall Configuration
It's important to know that a service like Fail2ban is working as-intended. Start by using systemctl to check the status of the service:
sudo systemctl status fail2ban
If something seems amiss here, you can troubleshoot by checking logs for the fail2ban unit since the last boot:
sudo journalctl -b -u fail2ban
Next, use fail2ban-client to query the overall status of fail2ban-server, or any individual jail:
sudo fail2ban-client status
sudo fail2ban-client status jail_name
Follow Fail2ban's log for a record of recent actions (press Ctrl-C to exit):
sudo tail -F /var/log/fail2ban.log
List the current rules configured for iptables:
sudo iptables -L
Show iptables rules in a format that reflects the commands necessary to enable each rule:
sudo iptables -S
Useful commands
To check fail2ban activity:
Logs: tail /var/log/fail2ban.log
Check status: fail2ban-client status
Check status of certain service: fail2ban-client status ssh
Check regex results: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
If unblock an IP is needed:
using iptables: iptables -D fail2ban-<CHAIN_NAME> -s <IP> -j DROP
using tcp-wrappers: remove IP from /etc/hosts.deny
------------------------------------