Setting up Fail2Ban for avoiding different kinds of Brute Force Attacks

March 22, 2013   Firewall, Linux Tips & Tutorials, Security

OBJECTIVE

To prevent the server from bruteforce attacks. Fail2ban will monitor the service and block the persons try to harm our server.

GETTING STARTED

We are going to enable fail2ban to monitor SMTP, Dovecot (IMAP, POP) and VsFTPD services.

Steps:

Requirements: Python 2.6 or greater

1. Install Python using yum
yum install python

2. Install Fail2ban using yum
yum install fail2ban

If not available then download from source
wget http://sourceforge.net/projects/fail2ban/files/latest/download?source=dlp

Extract the file
tar -xzvf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python setup.py install

3. Here is the procedure to add following services in fail2ban

VSFTPD

Its already configured, check the filter
ls /etc/fail2ban/filter.d

you will see vsftpd.conf

Now you need to enable it.

vim /etc/fail2ban/jail.conf


[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]


enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

change following lines

enabled = false
To
enabled = true

and [email protected]

SENDMAIL

Add filter
vim /etc/fail2ban/filter.d/sendmail.conf
Add following lines

[Definition]
failregex = \[\] .*to MTA
# \[\] \(may be forged\)
\[\], reject.*\.\.\. Relaying denied
(User unknown)\n* \[\]
badlogin: .* \[\] plaintext .* SASL

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Save and Exit.

Now configure jail
Add following lines in /etc/fail2ban/jail.conf

[sendmail]
enabled = true
filter = sendmail
action = iptables-multiport[name=sendmail, port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
sendmail-whois[name=sendmail, [email protected]]
logpath = /var/log/maillog

DOVECOT-POP3IMAP

Add filters
vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Add following lines


[Definition]
failregex = dovecot: auth-worker\(default\): sql\(.*,\): unknown user
dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[\]
dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]
dovecot: auth\(default\): passdb\(.*,\)\: Attempted login with password having illegal chars
dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]
dovecot: (pop3|imap)-login: Aborted login: .*, \[\]
ignoreregex =

Save and Exit.

Now configure jail

vim /etc/fail2ban/jail.conf
Add following lines

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, [email protected], sender=fail2ban@domain_name]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200

save and exit.

Now start fail2ban

/etc/init.d/fail2ban start

Leave a Reply

Your email address will not be published. Required fields are marked *