Embedded Files
Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP
INSTALL FAIL2BAN ON CENTOS
INSTALL FAIL2BAN ON CENTOS
-----------
yum -y install fail2ban fail2ban-firewalld fail2ban-systemd
systemctl enable fail2ban
systemctl restart fail2ban
systemctl status fail2ban
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# vi /etc/fail2ban/jail.local
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24 175.29.167.190/32 203.76.149.205/32 203.76.149.202/32
# set a higher bantime and findtime
bantime=3600
findtime=600
banaction = iptables-multiport
backend = systemd
# set max number of attempts
maxretry = 3
# set mail receiver
destemail = accesstel@worldcm.net
sender = fail2ban@worldcm.net
# enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
# see jail.conf for details
mta = postfix
action = %(action_mwl)s
use_dns = no
[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]
[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 5
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 5
[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=21, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
enabled = true filter = sshd action = iptables[name=SSH, port=22, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 3
-------------------------x-----------------------------
Configure fail2ban to Secure
Configure fail2ban to Secure
There are many predefined fail2ban jails for sshd service in jail.local. Therefore, we are enabling only one of them as follows.
[root@fail2ban-01 ~]# sed -i "/^\[sshd\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service
We also restarted fail2ban.service to reload configurations.
Now, try to connect with fail2ban-01.example.com using a ssh client with wrong password. Make 5 failed attempts and the host will be banned by fail2ban.
[root@fail2ban-tester ~]# ssh root@192.168.116.171 The authenticity of host '192.168.116.171 (192.168.116.171)' can't be established. ECDSA key fingerprint is SHA256:kzyCimDDwGPsfsuGXxdrcBqlxVQlU8FZTsYrwbPzZHM. ECDSA key fingerprint is MD5:b4:3f:a2:86:30:7a:b7:d7:b3:b0:10:8f:a3:3e:8a:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.116.171' (ECDSA) to the list of known hosts. root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@fail2ban-tester ~]# ssh root@192.168.116.171 root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password:
Check sshd jail status by using fail2ban-client command.
[root@fail2ban-01 ~]# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.152
The host 192.168.116.152 has been banned by fail2ban due to multiple authentication failures for predefined bantime.
There are more predefined fail2ban jails related to sshd service in jail.local file. One of them is sshd-ddos, which can be used to secure ssh service against DDOS (Distributed Denial of Service) attacks. You should experiment with different jails on your own.
Configure fail2ban to Secure Apache Web Server:
Configure fail2ban to Secure Apache Web Server:
There are various predefined fail2ban jails are available for Apache service. We can enable each of them on demand.
This time we are only enabling one jail apache-auth for demonstration of fail2ban.
[root@fail2ban-01 ~]# sed -i "/^\[apache-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service
We have also configured an Apache website with HTTP basic authentication on this machine. We will use this website to test fail2ban.
Browse URL http://fail2ban-01.example.com using a client's browser.
The website will ask you for login credentials.
Perform login attempts with wrong credentials 6 times and the host will be banned by fail2ban automatically for the predefined bantime.
You can check status of apache-auth jail as follows.
[root@fail2ban-01 ~]# fail2ban-client status apache-auth Status for the jail: apache-auth |- Filter | |- Currently failed: 0 | |- Total failed: 13 | `- File list: /var/log/httpd/error_log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.1
Configure fail2ban to Secure nginx Web Server:
Configure fail2ban to Secure nginx Web Server:
Just like Apache, we also have a fail2ban jail defined for nginx authentication failures. Therefore, we are going to enable and test it.
We have configured a nginx web server with basic http authentication. and now we are using it for demonstration purpose.
[root@fail2ban-01 ~]# sed -i "/^\[nginx-http-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service
Browse URL http://fail2ban-01.example.com using a client's browser.
The website will ask you for login credentials.
Perform login attempt with wrong credentials 6 times and the host will be banned by fail2ban automatically for the predefined bantime.
[root@fail2ban-01 ~]# fail2ban-client status nginx-http-auth Status for the jail: nginx-http-auth |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/nginx/error.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.1
Configure fail2ban to Secure MariaDB Server:
Configure fail2ban to Secure MariaDB Server:
There are rare cases when we expose MariaDB service port to the network. However, exposing the default port for MariaDB also exposes it to various threats.
Therefore, in such cases, we can use fail2ban to secure MariaDB against brute force, dictionary, DOS and DDOS attacks.
[root@fail2ban-01 ~]# sed -i "/^\[mysqld-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service
MariaDB server default log level is 1 and MariaDB does not record failed login attempts in log file when log level is 1.
In this case, fail2ban does not work because it doesn’t find any login failures in MariaDB log file.
Therefore, we have to increase the log level of MariaDB server, so, it can record failed login attempts in log files.
Use the following commands to increase log level of MariaDB server.
[root@fail2ban-01 ~]# sed -i "/^\[mysqld\]/a\\log-warnings=2" /etc/my.cnf [root@fail2ban-01 ~]# systemctl restart mariadb.service
Perform multiple login attempts with wrong username/password from another host. The fail2ban will ban the host for the predefined bantime, because of the suspicious activity.
[root@fail2ban-tester ~]# mysql -u ahmer -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'ahmer'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u root -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'root'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u root -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'root'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r1 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r1'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r2 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r2'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r4 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r4'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r5 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r5'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r7 -p12a -h 192.168.116.171 ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.116.171' (111)
Check the status of mysqld-jail using fail2ban-client command.
[root@fail2ban-01 ~]# fail2ban-client status mysqld-auth Status for the jail: mysqld-auth |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/mariadb/mariadb.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.152
We have successfully installed fail2ban on CentOS 7 and configured fail2ban to secure ssh, Apache, Nginx and MariaDB servers against brute-force, dictionary, DOS and DDOS attacks.
-----
Page updated
Google Sites
Report abuse