1.)
Install fail2ban.
Download and install the following repo initially.
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
2.)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3).
vi /etc/fail2ban/jail.local and make changes.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# mail[name=SSH, [email protected]]
logpath = /var/log/secure
maxretry = 2
Change the log file in the fail2ban configuraton file: /etc/fail2ban/fail2ban.conf as :
From >
logtarget = SYSLOG
To>
logtarget = /var/log/fail2ban.log
Initially logs will be coming to file "/var/log/secure". Find the below log format till IP is blocked, In this scenario, I have set maxtry as 2.
------
Jul 21 06:31:47 techmesrv sshd[31965]: Address 199.19.111.131 maps to mail1.lesbosmkt.info, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 21 06:31:50 techmesrv sshd[31965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.19.111.131 user=root
Jul 21 06:31:52 techmesrv sshd[31965]: Failed password for root from 199.19.111.131 port 39391 ssh2
--------
Once changed, the logs started appending on "/var/log/fail2ban.log"
Parameters:
1.)#enabled = true
>>
This enable the service.
2.)# "bantime" is the number of seconds that a host is banned.
bantime = 3600
Fail2ban automatically unban after the specific time. This can be realized in the fail2ban log file as:
2015-07-21 07:23:03,419 fail2ban.actions[2578]: WARNING [ssh-iptables] Ban xxx.xxx.xxx.xxx
2015-07-21 07:23:49,377 fail2ban.actions[2578]: WARNING [ssh-iptables] Unban xxx.xxx.xxx.xxx
I have set the bantime as 45 seconds. From the above logs, you can see that the interval between ban and unban is 46 sec.
3.)# "maxretry" is the number of failures before a host get banned.
maxretry = 3
>>
Default maxrty is 3 attempts. On the foutrth incorrect attempt, this will be banned.
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
4.)findtime = 600
>>
This is very useful parameter. This is set in seconds. Above findtime is 10 minutes. Findtime keeps a track of failed login attempts within the specfied timeframe of "findtime".
If maxtry is set as 3, and if the first attempt to login is made as minte 1, second at minute 5 and third as minute 7, and forth incorrect at minute 9, this will block the IP.
With the same settings if first attempt to login is made on minte 1, second at minute 5 and third as minute 7, and forth incorrect at minute 11, this will not block as "findtime" is set as 10 minutes. So setting very low value of "findtime" cause IP not to block.
5.)filter:
Filter rule. It's location is (/etc/fail2ban/filter.d/sshd.conf)
6.)action :
What action to perform if IP is blocked . The rule is on form. iptables[name=SSH, port=ssh, protocol=tcp].
The following actions suggest to send a mail as:
-----
sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
-----
7.)logpath = /var/log/secure -- The log file location of the service. If this does not generate logs, fail2ban will not work.
Note: If "/var/log/secure" does not create logs, check in the below location.
---
# The authpriv file has restricted access.
#authpriv.* -/var/log/secure
[root@techmesrv ~]#
---
If this section is hashed, unhash it and restart "/etc/init.d/rsyslogd restart".
Now check the file #tail -f /var/log/secure
>>
This should append file.
Install fail2ban.
Download and install the following repo initially.
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
2.)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3).
vi /etc/fail2ban/jail.local and make changes.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# mail[name=SSH, [email protected]]
logpath = /var/log/secure
maxretry = 2
Change the log file in the fail2ban configuraton file: /etc/fail2ban/fail2ban.conf as :
From >
logtarget = SYSLOG
To>
logtarget = /var/log/fail2ban.log
Initially logs will be coming to file "/var/log/secure". Find the below log format till IP is blocked, In this scenario, I have set maxtry as 2.
------
Jul 21 06:31:47 techmesrv sshd[31965]: Address 199.19.111.131 maps to mail1.lesbosmkt.info, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 21 06:31:50 techmesrv sshd[31965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.19.111.131 user=root
Jul 21 06:31:52 techmesrv sshd[31965]: Failed password for root from 199.19.111.131 port 39391 ssh2
--------
Once changed, the logs started appending on "/var/log/fail2ban.log"
Parameters:
1.)#enabled = true
>>
This enable the service.
2.)# "bantime" is the number of seconds that a host is banned.
bantime = 3600
Fail2ban automatically unban after the specific time. This can be realized in the fail2ban log file as:
2015-07-21 07:23:03,419 fail2ban.actions[2578]: WARNING [ssh-iptables] Ban xxx.xxx.xxx.xxx
2015-07-21 07:23:49,377 fail2ban.actions[2578]: WARNING [ssh-iptables] Unban xxx.xxx.xxx.xxx
I have set the bantime as 45 seconds. From the above logs, you can see that the interval between ban and unban is 46 sec.
3.)# "maxretry" is the number of failures before a host get banned.
maxretry = 3
>>
Default maxrty is 3 attempts. On the foutrth incorrect attempt, this will be banned.
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
4.)findtime = 600
>>
This is very useful parameter. This is set in seconds. Above findtime is 10 minutes. Findtime keeps a track of failed login attempts within the specfied timeframe of "findtime".
If maxtry is set as 3, and if the first attempt to login is made as minte 1, second at minute 5 and third as minute 7, and forth incorrect at minute 9, this will block the IP.
With the same settings if first attempt to login is made on minte 1, second at minute 5 and third as minute 7, and forth incorrect at minute 11, this will not block as "findtime" is set as 10 minutes. So setting very low value of "findtime" cause IP not to block.
5.)filter:
Filter rule. It's location is (/etc/fail2ban/filter.d/sshd.conf)
6.)action :
What action to perform if IP is blocked . The rule is on form. iptables[name=SSH, port=ssh, protocol=tcp].
The following actions suggest to send a mail as:
-----
sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
-----
7.)logpath = /var/log/secure -- The log file location of the service. If this does not generate logs, fail2ban will not work.
Note: If "/var/log/secure" does not create logs, check in the below location.
---
# The authpriv file has restricted access.
#authpriv.* -/var/log/secure
[root@techmesrv ~]#
---
If this section is hashed, unhash it and restart "/etc/init.d/rsyslogd restart".
Now check the file #tail -f /var/log/secure
>>
This should append file.