Jump to content

Working on Fail2ban


Recommended Posts

I got logwatch installed and working. I've also installed fail to ban and started the service. Still working on configuring it. I found out that I should be able to configure fail2ban to filter and ban per log. I found this in the fail2ban documention : at the bottom

Centos

Under CentOS / RedHat Enterprise Linux, httpd (Apache) is not compiled with tcpwrappers support. As a result the example in jail.conf called "apache-tcpwrapper" does not work since /etc/hosts.deny does not affect apache.

 

Mean that the filter [apache-tcpwrapper] won't work for me. So I did a bit of search and come across centos-fail2ban and seem they are using it there. So I'll just try to use it and configure it and see what the results are. But just strange two documentations saying two different things.

  • Like 1
Link to post
Share on other sites

Erm.. oh.. doh. It used to be on here.

 

I ought to get another up and running, really. I started it, never got around to configuring it.

 

Yeah I know. I've seen your blog a while ago. Strange that it's gone.

It used to be that you could make a blog under your profile settings

somewhere. Might have disappeared since the forum update?

Link to post
Share on other sites

Yeah, unfortunately, I believe the IP.Blog software is no longer with us on this forum. :(

Link to post
Share on other sites

Yeah, unfortunately, I believe the IP.Blog software is no longer with us on this forum. sad.png

 

haha going offtopic on my own topic. Wouldn't it be possible to link external blog software/website to this site?

Link to post
Share on other sites

I figured out what to do. I found some info here Seems like they created the filter [apache-webmail-phish] I think I could probably make my own by doing something like this:

 

Filter:

# Fail2Ban configuration file #

# Author: Jackie Craig Sparks #

# $Revision: 728 $ # [Definition]

#Looks for failed login attempts backend joomla

failregex = [[]client []] user .*(?:: authentication failure|not found|password mismatch|Invalid password|User does not exist)

ignoreregex =t

hen save it as apache-feedmebits-website.conf

 

Jail:

[apache-feedmebits-website]

enabled = true

filter = apache-feedmebits-website

action = iptables[name=HTTP, port="80,443", protocol=tcp]

logpath = /var/www/htm/htdocs/logs/error.php

maxretry = 0

bantime = 864000

findtime = 3600

Save it restart fail2ban and test. Will try it out later and post my results.

 

I also tried getting my ssh banned, it's activated. It doesn't get banned after x attempts. I found out the problem.

When I goto vi /etc/fail2ban/action.d/iptables , the file is empty so it doesn't know what to do. I checked a few

other files in that action.d folder and they are not empty. So if I tried the above it wouldn't work either because

it doesn't know what to do because iptables action is empty. Will need to figure out/search how I need to configure

that file. Then test.

Link to post
Share on other sites
  • 2 weeks later...

LOL I wasn't able to get it to work on my website log. when I restart fail2ban I get an error that my failregex isn't correct. I set my own filter to off in jail.conf and I restarted fail2ban and it's running now. On my ssh port too. I was dumb enough to test it out and now I'm locked out of my ssh and I can't get back in LMAO laugh.pngblink.png

 

*edit: luckily I put the time on 10min and am able to get in now :P

Link to post
Share on other sites

(Almost) getting locked out of your own server. It's something we all have to go through.

 

I once changed which port SSH was running on, over SSH, whilst I was away from the machine. I didn't, however, update the firewall to allow any packets in to the new port. I got locked out and had to call someone who was able to physically get to the machine and dictate the commands they had to type in to let me back in! Thankfully, I had the foresight to back up the configuration file so I could just ask them to copy it back over the existing one. Not my finest moment! :)

Link to post
Share on other sites

hahaha :D I got a bit further now. Before fail2ban wouldn't even create a logfile. So I removed and reinstalled it. Now I'm getting a log file. Also before when I made my own custom filter I got some strange error message and then fail2ban refused to start. Now I just get failed to start. So I know my install is right now, just need to have a closer lookat failregex expressions cuz not getting them right and if I use the ones from apache-auth.conf it doesn't work either probably because of the same reason I mentioned in my first post. And if I copy the filter and give it a different name, sounds logical that it won't work :P

Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...