Difference between revisions of "Fail2Ban"

From Fail2ban
Jump to navigationJump to search
(Minor grammar edits)
Line 22: Line 22:
 
   
 
   
 
  Fail2Ban is rather simple. I have a home server connected to
 
  Fail2Ban is rather simple. I have a home server connected to
  the Internet which runs apache, samba, sshd, ... I see in my
+
  the Internet which runs apache, samba, sshd, and some other
logs that people are trying to log into my box using "manual"
+
services. I saw in my logs that people are trying to log into
brute force or scripts. They try 10, 20 and sometimes more
+
my box using brute force, either "manually" or with scripts.
user/password (without success anyway). In order to
+
They have tried 10, 20 and sometimes more user/password
  discourage these script kiddies, I wanted that sshd refuses
+
combinations, without success. In order to discourage these
login from a specific ip after 3 password failures. After
+
  script kiddies, I wanted sshd to refuse login from a specific
  some Google searches, I found that sshd was not able of that.
+
IP address after 3 password failures. After some Google
  So I searched for a script or program that does it. I found
+
  searches, I found that sshd was not able of that, so I
  nothing :-( So I decide to write my own and to learn Python :-)
+
  searched for a script or program that does it. I found
 +
  nothing. :-( So I decided to write my own, and to learn
 +
Python. :-)
 
   
 
   
 
  For each section defined in the configuration file, Fail2Ban
 
  For each section defined in the configuration file, Fail2Ban
 
  tries to find lines which match the failregex. Then it
 
  tries to find lines which match the failregex. Then it
 
  retrieves the message time using timeregex and timepattern.
 
  retrieves the message time using timeregex and timepattern.
  It finally gets the ip and if it has already done 3 or more
+
  It finally gets the IP, and if that IP has already caused 3
password failures in the last banTime, the ip is banned for
+
or more password failures within the last banTime, it is
banTime using a firewall rule. This rule is set by the user
+
banned for banTime using a firewall rule. This rule is set
in the configuration file. Thus, Fail2Ban can be adapted for
+
by the user in the configuration file; thus, Fail2Ban can be
lots of firewalls. After banTime, the rule is deleted. Notice
+
adapted for many different firewalls. After banTime, the rule
that if no "plain" ip is available, Fail2Ban tries to do a DNS
+
is deleted. Notice that if no "plain" IP is available,
lookup in order to find one or several ip's to ban.
+
Fail2Ban tries to do a DNS lookup in order to find one or
 +
several IP addresses to ban.
 
   
 
   
  Sections can be freely added so it is possible to monitor
+
  Sections can be freely added to the configuration file, so it
several daemons at the same time.
+
is possible to monitor several daemons at the same time.
 
   
 
   
  Runs on my server and does its job rather well :-) The idea
+
  Fail2Ban runs on my server and does its job rather well :-)
is to make fail2ban usable with daemons and services that
+
The idea is to make Fail2Ban usable with daemons and services
  require a login (sshd, telnetd, ...) and with different
+
  that require a login (sshd, telnetd, ...) and with different
 
  firewalls.
 
  firewalls.
 
   
 
   
Line 55: Line 58:
 
  -------------
 
  -------------
 
   
 
   
  Require: python-2.4 (http://www.python.org)
+
  Requires: python-2.4 (http://www.python.org)
 
   
 
   
  To install, just do:
+
  To install, just run:
 
   
 
   
 
  > tar xvfj fail2ban-0.6.1.tar.bz2
 
  > tar xvfj fail2ban-0.6.1.tar.bz2
Line 70: Line 73:
 
  RedHat: packages are available on the website.
 
  RedHat: packages are available on the website.
 
   
 
   
  Fail2Ban should now be correctly installed. Just type:
+
  Fail2Ban should now be correctly installed. Just run:
 
   
 
   
 
  > fail2ban -h
 
  > fail2ban -h

Revision as of 01:28, 20 August 2006

               __      _ _ ___ _
              / _|__ _(_) |_  ) |__  __ _ _ _
             |  _/ _` | | |/ /| '_ \/ _` | ' \
             |_| \__,_|_|_/___|_.__/\__,_|_||_|

=============================================================
Fail2Ban (version 0.6.1)                           2006/03/16
=============================================================

Fail2Ban scans log files like /var/log/pwdfail and bans IP
that makes too many password failures. It updates firewall
rules to reject the IP address. These rules can be defined by
the user. Fail2Ban can read multiple log files such as sshd
or Apache web server ones.

This is my first Python program. Moreover, English is not my
mother tongue...


More details:
-------------

Fail2Ban is rather simple. I have a home server connected to
the Internet which runs apache, samba, sshd, and some other
services. I saw in my logs that people are trying to log into
my box using brute force, either "manually" or with scripts.
They have tried 10, 20 and sometimes more user/password
combinations, without success. In order to discourage these
script kiddies, I wanted sshd to refuse login from a specific
IP address after 3 password failures. After some Google
searches, I found that sshd was not able of that, so I
searched for a script or program that does it. I found
nothing. :-( So I decided to write my own, and to learn
Python. :-)

For each section defined in the configuration file, Fail2Ban
tries to find lines which match the failregex. Then it
retrieves the message time using timeregex and timepattern.
It finally gets the IP, and if that IP has already caused 3
or more password failures within the last banTime, it is
banned for banTime using a firewall rule. This rule is set
by the user in the configuration file; thus, Fail2Ban can be
adapted for many different firewalls. After banTime, the rule
is deleted. Notice that if no "plain" IP is available,
Fail2Ban tries to do a DNS lookup in order to find one or
several IP addresses to ban.

Sections can be freely added to the configuration file, so it
is possible to monitor several daemons at the same time.

Fail2Ban runs on my server and does its job rather well :-)
The idea is to make Fail2Ban usable with daemons and services
that require a login (sshd, telnetd, ...) and with different
firewalls.


Installation:
-------------

Requires: python-2.4 (http://www.python.org)

To install, just run:

> tar xvfj fail2ban-0.6.1.tar.bz2
> cd fail2ban-0.6.1
> python setup.py install

This will install Fail2Ban into /usr/lib/fail2ban. The
fail2ban executable is placed into /usr/bin.

Gentoo: ebuilds are available on the website.
Debian: Fail2Ban is in Debian unstable.
RedHat: packages are available on the website.

Fail2Ban should now be correctly installed. Just run:

> fail2ban -h

to see if everything is alright. You can configure fail2ban
with a config file. Different kind of configuration files are
available:

iptables:   copy config/fail2ban.conf.iptables to
            /etc/fail2ban.conf
hosts.deny: copy config/fail2ban.conf.hostsdeny to
            /etc/fail2ban.conf
shorewall:  copy config/fail2ban.conf.shorewall to
            /etc/fail2ban.conf

Do not forget to edit fail2ban.conf to meet your needs.

You can use the initd script available in config/. Copy
<dist>-initd to /etc/init.d/fail2ban. Gentoo users must copy
gentoo-confd to /etc/conf.d/fail2ban. You can start fail2ban:

> /etc/init.d/fail2ban start

Gentoo users can add it to the default runlevel:

> rc-update add fail2ban default

Configuration:
--------------

You can configure fail2ban using the file /etc/fail2ban.conf
or using command line options. Command line options override
the value stored in fail2ban.conf. Here are the command line
options:

  -b         start in background
  -c <FILE>  read configuration file FILE
  -p <FILE>  create PID lock in FILE
  -h         display this help message
  -i <IP(s)> IP(s) to ignore
  -k         kill a currently running instance
  -r <VALUE> allow a max of VALUE password failure [maxfailures]
  -t
Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=Fail2Ban&oldid=1531"