Dear Friends,
Today i have configured fail2ban on suse linux, i will describe here how u can easily configure the same.
You can find the complete version of this document in pdf format with screenshots later on our site
http://www.linuxandsecurity.net.
so lets start,
What is fail2ban ?
Fail2ban is an opensource software which can block brute force or unethical attacks on your server machines, Fail2ban has quality of stopping such attacks by banning the culprit IP along with sending and alerting the Administrator by informing them via email.
In your Suse box:
**Note: To test this without problems disable your basic firewall, you can reconfigure it later.
1) Enable packman repository
2) yast -i fail2ban
Once fail2ban is installed, it will install two files in /etc/fail2ban/ directory
a) fail2ban.conf
b) jail.conf
Main configuration file for fail2ban is jail.conf
I am only giving you an example for enabling ssh service , how ever you can enable fail2ban for various service such as ftp, apache and many more.
So here is a little configuration for ssh in jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 (Here you can write IP which you do not wish to ban)
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@linuxandsecurity.net, sender=fail2ban@mail.com]
logpath = /var/log/warn [------> Note: According to my configuration and testingwarn is the main path you need in suse 11]
maxretry = 5
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=admin@linuxandsecurity.net]
logpath = /var/log/mail
The above is a very basic configuration for setting up fail2ban for ssh.
Now save and exit from the jail.conf file.
Now restart sshd service
/etc/init.d/sshd restart
and start fail2ban as below
chkconfig --add fail2ban
/etc/init.d/fail2ban start
Check the status
/etc/init.d/fail2ban status
Once started you will receive an email on the above mentioned address [i have mentioned "admin@linuxandsecurity.net" email address] that fail2ban started.
Test:
Now try to ssh from any other IP address and give false passwords, try it for 5 -6 times .
Soon you will see that you cannot further ssh in to the system configured with fail2ban, you will soon receive another email stating that Fail2ban has banned <ip.ip.ip.ip> address.
Thats it.
Enjoy
If you are unable to setup fail2ban send me your email at
admin@linuxandsecurity.netdarklord
Login
Register
FAQ
Search
