Centos7

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------

18 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log.

yum -y install iptables-services fail2ban fail2ban-systemd

systemctl stop firewalld.service

systemctl mask firewalld.service

systemctl disable firewalld.service

systemctl stop firewalld.service

Next we create the /etc/fail2ban/jail.local file and enable monitoring for ssh, email and ftp service.

nano /etc/fail2ban/jail.local

Add the following content into the jail.local file:

[sshd]

enabled = true

action = iptables[name=sshd, port=ssh, protocol=tcp]

[pure-ftpd]

enabled = true

action = iptables[name=FTP, port=ftp, protocol=tcp]

maxretry = 3

[dovecot]

enabled = true

action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]

maxretry = 5

[postfix-sasl]

enabled = true

action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]

maxretry = 3

Then create the system startup links for fail2ban and start it:

systemctl enable fail2ban.service

systemctl start fail2ban.service

systemctl restart fail2ban.service

systemctl restart fail2ban

yum remove fail2ban\* 

----------------------------------------------------------------XXX_______________________________________-----------------------

-------------

first we need to enable several triggers in fail2ban

modifiy needed lines to sections look like these

vim /etc/fail2ban/jail.conf

...

[roundcube-auth]

enabled = true

port     = http,https

logpath  = /var/log/roundcubemail/errors

....

[postfix]

enabled = true

port     = smtp,465,submission

logpath  = %(postfix_log)s

....

[dovecot]

enabled = true

port    = pop3,pop3s,imap,imaps,submission,465,sieve

logpath = %(dovecot_log)s

...

[sieve]

enabled = true

port   = smtp,465,submission

logpath = %(dovecot_log)s

             .........................................................................

now we need to enable fail2ban service

  systemctl enable fail2ban.service

and start service

 systemctl start fail2ban.service

 systemctl stop fail2ban.service

 systemctl disable fail2ban.service

----------------ll

#  vi /etc/fail2ban/jail.local

                                  -----------------------------------

 [DEFAULT]

 ignoreip  = 127.0.0.1 82.192.71.9 95.211.46.207         # [Whitelist IP] ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24

 bantime   = 3600                                                            # "bantime" is the number of seconds that a host is banned.

 findtime = 600                                          # A host is banned if it has generated "maxretry" during the last "findtime"

 banaction = iptables-multiport

 backend = systemd

 maxretry = 5

 destemail = accesstel@worldcm.net      # set mail receiver

 sender = fail2ban@worldcm.net             # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,

 action    = %(action_mwl)s

 use_dns = no

we create the # vi /etc/fail2ban/jail.local

#######Add the following content into the jail.local file:

# JAILS

[ssh]

enabled   = true

maxretry  = 3

[pam-generic]

enabled   = true

banaction = iptables-allports

[ssh-ddos]

enabled   = true

[sshd]

enabled = true

action = iptables[name=sshd, port=ssh, protocol=tcp]

[sshd]

enabled = true

port = ssh

#action = firewallcmd-ipset

logpath = %(sshd_log)s

maxretry = 5

bantime = 86400

[pure-ftpd]

enabled = true

action = iptables[name=FTP, port=ftp, protocol=tcp]

maxretry = 3

[dovecot]

enabled = true

action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]

maxretry = 5

logpath  = /var/log/maillog

[postfix-sasl]

enabled = true

action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]

maxretry = 5

logpath  = /var/log/maillog

[webmin]

enabled   = true

port      = 10000,20000

filter    = webmin-auth

banaction = iptables-multiport

action    = %(action_mwl)s

logpath   = /var/log/auth.log

maxretry  = 3

[apache]

enabled = true

[apache-myadmin]

enabled   = true

port      = http,https

filter    = apache-myadmin

banaction = iptables-allports

action    = %(action_mwl)s

logpath   = /var/log/apache*/*error.log

maxretry  = 2

####  must be install squirrel_logger plugin in squirrel mail

[squirrelmail-iptables]

enabled  = true

filter   = squirrelmail

action   = iptables[name=SquirrelMail, port=http, protocol=tcp]

logpath  = /var/lib/squirrelmail/prefs/squirrelmail_access_log

maxretry = 5

------------     ----------     -------------    -------------     ------------

If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command.

Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.

#  fail2ban-client set JAIL addignoreip 123.45.67.89

 systemctl restart fail2ban

 fail2ban-client status

------------

#  tail -n 5 /var/log/fail2ban.log

list all currently blocked ips:

# fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

see all the previously banned IPs through /var/log/fail2ban.log

# zgrep 'Ban' /var/log/fail2ban.log*

Generating Simple Reports

Grouping by IP address:

# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n