Difference between revisions of "MANUAL 0 8"
Lostcontrol (talk | contribs) m (→Server) |
Lostcontrol (talk | contribs) (→Client) |
||
| Line 69: | Line 69: | ||
The [[FAQ]] have a more detailed explanation of installing using distributions such as [http://debian.org Debian], [http://redhat.com RedHat] and [http://gentoo.org Gentoo] | The [[FAQ]] have a more detailed explanation of installing using distributions such as [http://debian.org Debian], [http://redhat.com RedHat] and [http://gentoo.org Gentoo] | ||
| + | |||
| + | |||
| + | == Server == | ||
| + | |||
| + | {{Fail2ban}} is composed of 2 parts: a client and a server. The server is multi-threaded and listen on a Unix socket for commands. The server itself knows nothing about the configuration files. Thus, at startup, the server is in a "default" state in which no jails are defined. The following options are available for '''fail2ban-server''': | ||
| + | |||
| + | -b start in background | ||
| + | -f start in foreground | ||
| + | -s <FILE> socket path | ||
| + | -x force execution of the server | ||
| + | -h, --help display this help message | ||
| + | -V, --version print the version | ||
| + | |||
| + | '''fail2ban-server''' should not be used directly except in case of debugging. The option '''-s <FILE>''' is probably the most important one and is used to set the socket path. Thus, it is possible to run several instances of {{Fail2ban}} on different sockets. However, this should be not required because {{Fail2ban}} can run several jails concurrently. | ||
| + | |||
| + | If '''fail2ban-server''' crashes (does it?), it is possible that the socket file has not been removed correctly. The '''-x''' option tells the server to delete the socket file before startup. If the socket file of a running server is removed, it is not possible to communicate with this server anymore. | ||
| + | |||
| + | The server handles the signals ''SIGTERM'' and ''SIGINT''. When receiving one of these signals, '''fail2ban-server''' will quit nicely. | ||
| + | |||
| + | |||
| + | == Client == | ||
| + | |||
| + | '''fail2ban-client''' is the frontend of {{Fail2ban}}. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send single command to the server using command line or interactive mode (can be activated with '''-i'''). '''fail2ban-client''' can also start the server. The following options are available for '''fail2ban-client''': | ||
| + | |||
| + | -c <DIR> configuration directory | ||
| + | -s <FILE> socket path | ||
| + | -d dump configuration. For debugging | ||
| + | -i interactive mode | ||
| + | -v increase verbosity | ||
| + | -q decrease verbosity | ||
| + | -x force execution of the server | ||
| + | -h, --help display this help message | ||
| + | -V, --version print the version | ||
| + | |||
| + | As for '''fail2ban-server''', the option '''-s <FILE>''' can be used to set the socket path. Notice that this command line option overrides the '''socket''' option set in ''fail2ban.conf''. The default configuration directory is ''/etc/fail2ban'' but can be override with the '''-c <DIR>''' option. The '''-x''' option is simply forwarded to '''fail2ban-server''' when starting the server. | ||
| + | |||
| + | An useful option for debugging is '''-d'''. This prints the configuration parsed by '''fail2ban-client'''. The output corresponds to the stream sent to the server. If the output of '''-d''' shows: | ||
| + | |||
| + | ['set', 'loglevel', 1] | ||
| + | ['set', 'logtarget', 'STDERR'] | ||
| + | |||
| + | It is possible to achieve the same with: | ||
| + | |||
| + | $ fail2ban-client set loglevel 1 | ||
| + | $ fail2ban-client set logtarget STDERR | ||
| + | |||
== Configuration == | == Configuration == | ||
| − | The standard path for the configuration is in ''/etc/fail2ban''. This can be set with the '''-c''' option of fail2ban-client. A typical configuration looks like this: | + | The standard path for the configuration is in ''/etc/fail2ban''. This can be set with the '''-c''' option of '''fail2ban-client'''. A typical configuration looks like this: |
/etc/fail2ban/ | /etc/fail2ban/ | ||
| Line 99: | Line 145: | ||
Every ''.conf'' file can be overriden with a file named ''.local''. Modification should take place in the ''.local'' and not in the ''.conf''. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. | Every ''.conf'' file can be overriden with a file named ''.local''. Modification should take place in the ''.local'' and not in the ''.conf''. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. | ||
| − | * The file ''fail2ban.conf'' contains settings like the logging level or the logging target of fail2ban-server. You can also specify here the socket path used for the communication between the client and the server. | + | * The file ''fail2ban.conf'' contains settings like the logging level or the logging target of '''fail2ban-server'''. You can also specify here the socket path used for the communication between the client and the server. |
* The most important file is probably ''jail.conf'' which contains the declaration of your jails. | * The most important file is probably ''jail.conf'' which contains the declaration of your jails. | ||
| Line 108: | Line 154: | ||
Filter and actions are combinated to create jails. Only one filter is allowed pro jail but it is possible to specify several actions. For example, you can react to a SSH breakin attempt by first adding a new firewall rule, then retrieving some information about the offending host using ''whois'' and finally sending yourself an e-mail notification. Or maybe you just want to received a notification on your Jabber account when someone accesses the page ''/donotaccess.html'' on your web server. | Filter and actions are combinated to create jails. Only one filter is allowed pro jail but it is possible to specify several actions. For example, you can react to a SSH breakin attempt by first adding a new firewall rule, then retrieving some information about the offending host using ''whois'' and finally sending yourself an e-mail notification. Or maybe you just want to received a notification on your Jabber account when someone accesses the page ''/donotaccess.html'' on your web server. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 16:34, 15 December 2006
Introduction
The problem
Brute-force breakin attempts are quite frequent against an SSH server. Automated scripts try multiple combinations of username/password and sometimes changing the port to something other than 22 can't be done. Furthermore, scouring your log files yourself is not only time consuming, but can be difficult too.
Fail2ban attempts to aleviate these issues by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manor.
The solution
Log files contain interesting information, especially about failed logins. This information can be used to ban an offensive host. This is exactly what Fail2ban does. It scans log files and detect patterns which correspond to possible breakin attempts and then performs actions. Most of the time, it consists of adding a new rule in a firewall chain and sending an e-mail notification to the system administrator.
Here is a list of the most important features available in Fail2ban:
- client/server
- multithreaded
- Gamin support
- autodetection of the date/time format
- wildcard support in logpath option
- support for a lot of services (sshd, apache, qmail, proftpd, sasl, etc)
- support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)
The code has been completely rewritten since 0.6.x. Fail2ban is entirely written in Python and thus should work on most of the *nix systems.
Installation
Requirements
In order to use Fail2ban, the following software are required:
- Python >= 2.4
The following software are optional but recommended:
- iptables
- shorewall
- tcp-wrappers
- a working mail command
- Gamin the File Alteration Monitor
You will probably need at least one firewall software like iptables or shorewall. If you want a software which is not supported, please feel free to contact the author.
Gamin is a file alteration monitor. Gamin greatly benefits from a "inotify"-enabled kernel. Thus, active polling is no longer required to get the file modifications.
Installing from sources on a GNU/Linux system
You will need to obtain the latest version of the source code in order to compile Fail2ban yourself. Once you have done this, change to the directory where you downloaded the source code and execute the following:
tar xvjf fail2ban-x.x.x.tar.bz2
You will have the Fail2ban source code extracted to a directory under the current working directory. You must now move to the new directory.
Now run the installation script as root:
./setup.py install
Fail2ban should now be installed into /usr/lib/fail2ban and /usr/bin.
Debian
Installing Fail2ban on a Debian based system is very straightforward. Execute the following code as the root user on an unstable version of Debian:
apt-get install fail2ban
Gentoo
Fail2ban is available in Portage. To install it, just run:
emerge fail2ban
The FAQ have a more detailed explanation of installing using distributions such as Debian, RedHat and Gentoo
Server
Fail2ban is composed of 2 parts: a client and a server. The server is multi-threaded and listen on a Unix socket for commands. The server itself knows nothing about the configuration files. Thus, at startup, the server is in a "default" state in which no jails are defined. The following options are available for fail2ban-server:
-b start in background -f start in foreground -s <FILE> socket path -x force execution of the server -h, --help display this help message -V, --version print the version
fail2ban-server should not be used directly except in case of debugging. The option -s <FILE> is probably the most important one and is used to set the socket path. Thus, it is possible to run several instances of Fail2ban on different sockets. However, this should be not required because Fail2ban can run several jails concurrently.
If fail2ban-server crashes (does it?), it is possible that the socket file has not been removed correctly. The -x option tells the server to delete the socket file before startup. If the socket file of a running server is removed, it is not possible to communicate with this server anymore.
The server handles the signals SIGTERM and SIGINT. When receiving one of these signals, fail2ban-server will quit nicely.
Client
fail2ban-client is the frontend of Fail2ban. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send single command to the server using command line or interactive mode (can be activated with -i). fail2ban-client can also start the server. The following options are available for fail2ban-client:
-c <DIR> configuration directory -s <FILE> socket path -d dump configuration. For debugging -i interactive mode -v increase verbosity -q decrease verbosity -x force execution of the server -h, --help display this help message -V, --version print the version
As for fail2ban-server, the option -s <FILE> can be used to set the socket path. Notice that this command line option overrides the socket option set in fail2ban.conf. The default configuration directory is /etc/fail2ban but can be override with the -c <DIR> option. The -x option is simply forwarded to fail2ban-server when starting the server.
An useful option for debugging is -d. This prints the configuration parsed by fail2ban-client. The output corresponds to the stream sent to the server. If the output of -d shows:
['set', 'loglevel', 1] ['set', 'logtarget', 'STDERR']
It is possible to achieve the same with:
$ fail2ban-client set loglevel 1 $ fail2ban-client set logtarget STDERR
Configuration
The standard path for the configuration is in /etc/fail2ban. This can be set with the -c option of fail2ban-client. A typical configuration looks like this:
/etc/fail2ban/ ├── action.d │ ├── dummy.conf │ ├── hostsdeny.conf │ ├── iptables.conf │ ├── mail-whois.conf │ ├── mail.conf │ └── shorewall.conf ├── fail2ban.conf ├── fail2ban.local ├── filter.d │ ├── apache-auth.conf │ ├── apache-noscript.conf │ ├── couriersmtp.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── qmail.conf │ ├── sasl.conf │ ├── sshd.conf │ └── vsftpd.conf ├── jail.conf └── jail.local
Every .conf file can be overriden with a file named .local. Modification should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there.
- The file fail2ban.conf contains settings like the logging level or the logging target of fail2ban-server. You can also specify here the socket path used for the communication between the client and the server.
- The most important file is probably jail.conf which contains the declaration of your jails.
- The directory action.d contains different scripts defining actions. The actions are executed at well-defined moment during the execution of Fail2ban: when starting/stopping a jail, banning/unbanning an host, etc.
- The directory filter.d contains mainly regular expressions which are used to detect breakin attempts, password failures, etc.
Filter and actions are combinated to create jails. Only one filter is allowed pro jail but it is possible to specify several actions. For example, you can react to a SSH breakin attempt by first adding a new firewall rule, then retrieving some information about the offending host using whois and finally sending yourself an e-mail notification. Or maybe you just want to received a notification on your Jabber account when someone accesses the page /donotaccess.html on your web server.
