HOWTO Setup fail2ban

From Research
Revision as of 18:23, 22 January 2008 by Gordp (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
emerge -v fail2ban
emacs -nw /etc/fail2ban/jail.conf

scroll to section "[ssh-iptables]" and enable it and find the line that says:

logpath = /var/log/sshd.log

and change it to (Gentoo):

logpath = /var/log/auth.log
###backend = auto
backend = gamin

Comment out the "mail-whois" actions.

root@hostname ~
# /etc/init.d/fail2ban start
* Starting fail2ban
root@hostname ~
# rc-update add fail2ban default
* fail2ban added to runlevel default

Check the log file:

# tail /var/log/fail2ban.log

and

# tail -f /var/log/fail2ban.log

Check Iptables:

# iptables -L

Example output, for a web-server (port 80 open), with SSH and FTP services too:

Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-VSFTPD  tcp  --  anywhere             anywhere            tcp dpt:ftp 
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
DROP       all  --  sr-01504.iat.sfu.ca  anywhere            
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-VSFTPD (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere