Tuesday, June 21, 2011

Install fail2ban 0.84 on Centos 5.5

Category: SkyHi @ Tuesday, June 21, 2011
Fail2ban is an intrusion prevention framework which scans the log files on your system (such as: var/log/secure) and spots repeated password failures.
Too many failures, and it will update your firewall to drop all traffic from the offending IP address. Pretty handy, and enough to stop the casual hacker with a dictionary attack.
Fail2ban is very flexible and can be configured to work with any service that writes to a logfile, but here’s the basics to get you up and protected in a few minutes.
1. Get the files
cd to /tmp for a nice place for them to land, then
wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download

2. Extract them
tar -xf fail2ban-0.8.4.tar.bz2

3. Head to the new directory and install
cd fail2ban-0.8.4
then (you need to have python installed)…
python setup.py install
All installed ok?

4. Get it starting up automatically
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on

5. Config
You’ll need to turn some stuff on, and fiddle with settings to your liking in:
/etc/fail2ban/jail.conf
If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure
You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.
Once you’re configured, start the service with:
service fail2ban start

6.
You can test the rules per service using:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
The defaults should work correctly for SSH but if they don't, check out this article for more options.


NOTE:  fail2Ban 0.8.4 doesn't ban VSFTPD failures
Once I realized that fail2ban was configured to ignore failed logins from my LAN IP's, I did manage to get banned. The following settings worked for me:

/etc/vsftpd/vsftpd.conf:
Code:
 
dual_log_enable=YES
use_localtime=YES

/etc/fail2ban/jail.conf:
Code:
 
[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=root@localhost, sender=fail2ban@pbx.dyndns.org]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 1800

I left default settings for IP tables and for /etc/fail2ban/filter.d/vsftpd.conf



REFERENCES
http://www.md3v.com/install-fail2ban-on-centos-5-5
http://willgrant.org/install-fail2ban-on-centos-5-6/
http://pbxinaflash.com/forum/showthread.php?t=9847