Tuesday, June 15, 2010

How-to: Install fail2ban 0.8.4 in CentOS

SkyHi @ Tuesday, June 15, 2010
Hello all:



This is a collection of oddities and installation issues with fail2ban 0.8.4. I originally used a CentOS Optimized version that I had to remove the fail2ban that came with it initially because it appear to be a Debian version. In any event, I believe the tips apply.



Here are some of the instructions I followed for basic installation and configuration:



http://felipeferreira.net/?p=47

http://www.fail2ban.org/wiki/index.p...2FLinux_system



Here is the list of issues I found:

  1. Python Version: CentOs comes with a few versions of python. 2.4 and the standard one. If you get a SyntaxError: invalid syntax "bad interpreter" error warning upon restarting and shutting down fail2ban manually check the path in the fail2ban-client and fail2ban-server inside /usr/bin/folder. Do a whereis for python and adjust the path (very beginning of the file) accordingly.



    In my case I had to pointed to the 2.4. The reasons why are mystery to me...




    Quote:







    fail2ban-client -h

    File "/usr/bin/fail2ban-client", line 360

    @staticmethod

    ^

    SyntaxError: invalid syntax



    I found a way to work around this problem with CentOS. Apparently CentOS has multiple versions of Python installed. Modify /usr/bin/fail2ban-client and /usr/bin/fail2ban-server so that the first line on each reads as follows:



    #!/usr/local/bin/python2. <----(make sure YOUR path is the right one)

    (or wherever the direct executable for python2.4 is). By default it reads as #!/usr/bin/python, which is apparently an earlier version of python. If you don't know where python2.4 is located, you can find it by typing the following:

    whereis python2


    I also picked up reports python 2.6 may not work with fail2ban. So you know.


  2. Missing Filters or Action: Your jail.conf file (or jail.local if you duplicate) should have already "-iptables" entries in it. (example: [ssh-iptables]). if it does not then you installed the wrong version of fail2ban or it did not compile properly.



    Check also the /etc/fail2ban/filters.d as the filters referred in the jail.conf should be here. If not, same as before: wrong fail2ban server installation or an older version of it.


  3. Make sure that in the jail.conf (or jail.local if you duplicate) path to the check log is correct: In CentOS there is no auth.log: Use /var/log/secure instead. if you do not the system fails to extract the failed logins and nothing happens.


  4. Run the fail2ban-regex to check the /var/log/secure log against the filter: You should get matches as defined by the regular expressions in each filter and when done you should get matches like so (this is a brand new server...I only have 3 matches):



    In this example I am checking SSH:




    Code:

    fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

    and being




    Code:

    Failregex<br />|- Regular expressions:<br />|  [1] (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$<br />|  [2] Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$<br />|  [3] ROOT LOGIN REFUSED.* FROM <HOST>\s*$<br />|  [4] [iI](?:llegal|nvalid) user .* from <HOST>\s*$<br />|  [5] Invalid user .* from <HOST>\s*$<br />|  [6] User .+ from <HOST> not allowed because not listed in AllowUsers\s*$<br />|  [7] User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$<br />|  [8] Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$<br />|  [9] authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$<br />|<br />`- Number of matches:<br />   [1] 0 match(es)<br />   [2] 0 match(es)<br />   [3] 0 match(es)<br />   [4] 0 match(es)<br />   [5] 0 match(es)<br />   [6] 0 match(es)<br />   [7] 0 match(es)<br />   [8] 0 match(es)<br /><b><font color="Red">   [9] 3 match(es)<br /></font></b>

    However, if you get a "Sorry, no matches" result and everything else has been properly configured, then it is the problem us the regular expressions on the target filter configuration against is being compared. Following the SSH example above, that would be the /etc/fail2ban/filter.d/sshd.conf file.



    EDIT: Makes sure you actually have real rejections to get a match. That is, if you have just installed the server and not tried to manually trigger a ban then obviously there would be no matches as there is nothing to match to. Generate a ban on your own IP



    TIP: Temporarily change the ban duration time to something short like 15 to 30 seconds BEFORE you do this otherwise you may lock yourself out. If you do....use the console (ouch) FLUSH the iptables to get back in....easy



    Depending on your server these expressions will need to be tweaked. The ones that came out of the box did not work for me. Luckily I found one set for CentOS that did work for me and that I paste below. Again, for SSH only, but you can use it as base for the rest. DO CHECK though:




    Code:

    failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$<br />            Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$<br />            ROOT LOGIN REFUSED.* FROM <HOST>\s*$<br />            [iI](?:llegal|nvalid) user .* from <HOST>\s*$<br />            Invalid user .* from <HOST>\s*$<br />            User .+ from <HOST> not allowed because not listed in AllowUsers\s*$<br />            User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$<br />            Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$<br />            authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

    Make sure you restart the fail2ban server after all these changes:






    Code:

    service fail2ban restart


REFERENCES
http://www.vps.net/forum/public-forums/tutorials-and-how-tos/1481-how-to-install-fail2ban-0-8-4-in-centos