Part 11: Install and configure fail2ban


1) install fail2ban:

cd
curl https://codeload.github.com/fail2ban/fail2ban/legacy.tar.gz/master -o fail2ban.tar.gz
tar zxvf fail2ban.tar.gz
cd fail2ban*
./setup.py install

2) Setup system stuff for fail2ban:

cd
cd fail2ban*
cp ./files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
cp ./files/fail2ban-logrotate /etc/logrotate.d/fail2ban
cp ./files/bash-completion /etc/bash_completion.d/fail2ban-bash-completion.sh

3) Configure fail2ban email settings:

vim /etc/fail2ban/action.d/sendmail-common.conf
#you probably want to change sender, and maybe dest.

Enable a few fail2ban jails:

vim /etc/fail2ban/jail.conf
#Set "enabled = true" under the following headers: [ssh-iptables], [apache-badbots], php-url-fopen
#Also set the `sendmail-whois` portion to emails that make sense, in this case:
sendmail-whois[name=SSH, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername="Fail2Ban"]
#also set the logpath to the correct path:
logpath  = /etc/httpd/logs/*access_log

4) Add a few additional fail2ban jails for NFG hosts that are poking around:

echo "" >> /etc/fail2ban/jail.conf
echo "[apache-auth]" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "enabled  = true" >> /etc/fail2ban/jail.conf
echo "filter   = apache-auth" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=ApacheAuth, port=\"http,https\"]" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=ApacheAuth, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath  = /etc/httpd/logs/*error_log"
echo "maxretry = 6" >> /etc/fail2ban/jail.conf

echo "" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "[apache-overflows]" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "enabled  = true" >> /etc/fail2ban/jail.conf
echo "filter   = apache-overflows" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=ApacheOverflows, port=\"http,https\"]" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=ApacheOverflows, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath  = /etc/httpd/logs/*error_log"

echo "" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "[apache-noscript]" >> /etc/fail2ban/jail.conf
echo "enabled  = true" >> /etc/fail2ban/jail.conf
echo "port     = http,https" >> /etc/fail2ban/jail.conf
echo "filter   = apache-noscript" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=ApacheNoScript, port=\"http,https\"]" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=ApacheNoScript, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath  = /etc/httpd/logs/*error.log" >> /etc/fail2ban/jail.conf
echo "maxretry = 3" >> /etc/fail2ban/jail.conf

echo "" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "[apache-post]" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "enabled = true" >> /etc/fail2ban/jail.conf
echo "filter = apache-post" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=ApachePostFlood, port=\"http,https\"]" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=ApachePostFlood, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath = /etc/httpd/logs/*access_log" >> /etc/fail2ban/jail.conf
echo "findtime = 10" >> /etc/fail2ban/jail.conf
echo "bantime = 183600" >> /etc/fail2ban/jail.conf
echo "maxretry = 10" >> /etc/fail2ban/jail.conf

echo "" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "[apache-phpmyadmin]" >> /etc/fail2ban/jail.conf
echo "enabled  = true" >> /etc/fail2ban/jail.conf
echo "port     = http,https" >> /etc/fail2ban/jail.conf
echo "filter   = apache-phpmyadmin" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=Apachephpmyadminbot, port=\"http,https\"]" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=Apachephpmyadminbot, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath  = /etc/httpd/logs/*error.log" >> /etc/fail2ban/jail.conf
echo "maxretry = 3" >> /etc/fail2ban/jail.conf

5) Configure a few filters for use with the above jails:

echo "# Fail2Ban configuration file" > /etc/fail2ban/filter.d/apache-post.conf
echo "#" >> /etc/fail2ban/filter.d/apache-post.conf
echo "#" >> /etc/fail2ban/filter.d/apache-post.conf
echo "# $Revision: 1 $" >> /etc/fail2ban/filter.d/apache-post.conf
echo "#" >> /etc/fail2ban/filter.d/apache-post.conf
echo "" >> /etc/fail2ban/filter.d/apache-post.conf
echo "[Definition]" >> /etc/fail2ban/filter.d/apache-post.conf
echo "# Option: failregex" >> /etc/fail2ban/filter.d/apache-post.conf
echo "# Notes.: Regexp to catch known spambots and software alike. Please verify" >> /etc/fail2ban/filter.d/apache-post.conf
echo "# that it is your intent to block IPs which were driven by" >> /etc/fail2ban/filter.d/apache-post.conf
echo "# abovementioned bots." >> /etc/fail2ban/filter.d/apache-post.conf
echo "# Values: TEXT" >> /etc/fail2ban/filter.d/apache-post.conf
echo "#" >> /etc/fail2ban/filter.d/apache-post.conf
echo "failregex = ^<HOST> -.*”POST.*" >> /etc/fail2ban/filter.d/apache-post.conf
echo "" >> /etc/fail2ban/filter.d/apache-post.conf
echo "ignoreregex =" >> /etc/fail2ban/filter.d/apache-post.conf

echo "# Fail2Ban configuration file" > /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Bans bots scanning for non-existing phpMyAdmin installations on your webhost." >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Author: Gina Haeussge" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "[Definition]" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "docroot = /var/www" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Option:  failregex" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Notes.:  Regexp to match often probed and not available phpmyadmin paths." >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Values:  TEXT" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s)" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "ignoreregex =" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf

6) fail2ban’s default configuration can be reviewed:

vim /etc/fail2ban/fail2ban.conf

7) start and test fail2ban

service fail2ban start
fail2ban-client ping #pong should be the server response

8) If you wish to produce further definitions to `regex` a log, do so in /etc/fail2ban/filter.d.
Check out github.com for some possibilities: gists and github.
Be smart. Try parsing for the mod_security return code (403) for your own definition:

echo "" >> /etc/fail2ban/jail.conf
echo "" >> /etc/fail2ban/jail.conf
echo "[apache-403]" >> /etc/fail2ban/jail.conf
echo "enabled = true" >> /etc/fail2ban/jail.conf
echo "port = http,https" >> /etc/fail2ban/jail.conf
echo "filter = apache-403" >> /etc/fail2ban/jail.conf
echo "action   = iptables-multiport[name=Apache403, port=\"http,https\"]" >> /etc/fail2ban/jail.conf" >> /etc/fail2ban/jail.conf
echo "           sendmail-whois[name=Apache403, dest=mbrown@domainy.com, sender=robot@domainy.com, sendername=\"Fail2Ban\"]" >> /etc/fail2ban/jail.conf
echo "logpath = /etc/httpd/logs/*access.log" >> /etc/fail2ban/jail.conf
echo "bantime = 3600" >> /etc/fail2ban/jail.conf
echo "findtime = 600" >> /etc/fail2ban/jail.conf
echo "maxretry = 2" >> /etc/fail2ban/jail.conf

echo "# Fail2Ban configuration file" > /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# Author: Giuseppe Urso modified by matt brown" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "# $Revision: 1 $" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "#" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "[Definition]" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "failregex = (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 403 [0-9]+ " >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
echo "ignoreregex =" >> /etc/fail2ban/filter.d/apache-phpmyadmin.conf
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: