Difference between revisions of "Fail2Ban"

From Fail2ban
Jump to navigationJump to search
m
(boosted version to 0.8.5 in the installation example)
 
(26 intermediate revisions by 20 users not shown)
Line 1: Line 1:
                __      _ _ ___ _               
+
                        __      _ _ ___ _               
              / _|__ _(_) |_  ) |__  __ _ _ _   
+
                        / _|__ _(_) |_  ) |__  __ _ _ _   
              |  _/ _` | | |/ /| '_ \/ _` | ' \  
+
                      |  _/ _` | | |/ /| '_ \/ _` | ' \  
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
+
                      |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
   
 
   
=============================================================
+
 
Fail2Ban (version 0.6.2)                           2006/12/11
+
* <SMALL >Fail2Ban (version 0.8.4) 2009/09/07</SMALL >
  =============================================================
+
 
 +
[[Fail2Ban]] scans [[log file]]s like [file:///var/log/pwdfail pwdfail] and bans [[IP address]]es that make too many password failures.&emsp; It updates [[firewall]] rules to reject the [[IP address]].&emsp; These rules can be defined by the user.&emsp; [[Fail2Ban]] can read multiple [[log file]]s such as [[sshd]] or [[Apache Web server]] ones. This [[README]] is a quick introduction to [[Fail2Ban]].&emsp; More documentation, FAQ, HOWTOs are available on the [http://www.fail2ban.org/ project website].
 +
 
 +
== Installation ==
 +
; Required:
 +
: [http://www.python.org/ python] ≥ 2.3
 +
; Optional:
 +
: [http://people.gnome.org/~veillard/gamin/ gamin] ≥ 0.0.21
 +
 
 +
To install, just do:
 +
tar xvfj fail2ban-0.8.5.tar.bz2
 +
cd fail2ban-0.8.5
 +
python setup.py install
 +
 
 +
This will install [file:///usr/share/fail2ban Fail2Ban]. The executable scripts are placed into file:///usr/bin.
 +
 
 +
* It is possible that [[Fail2Ban]] is already packaged for your distribution. In this case, you should use it.
 +
 
 +
[[Fail2Ban]] should be correctly installed now. Just type:
 +
fail2ban-client -h
 +
 
 +
to see if everything is all right.&emsp; You should always use <TT >fail2ban-client</TT > and never call <TT >fail2ban-server</TT > directly.
 +
 
 +
== Configuration ==
 +
You can configure [[Fail2Ban]] using the [file:///etc/fail2ban configuration files].&emsp; It is possible to configure the server using commands sent to it by <TT >fail2ban-client</TT >.&emsp; The available commands are described in the [man:/fail2ban-client manual page].&emsp; Please refer to it or to the website.
 +
 
 +
== Contact ==
 +
If you need some new features, you found bugs or you just appreciate this program, you can contact me at:
 +
* [http://www.fail2ban.org/ The Website]
 +
* [mailto:Cyril%20Jaquier%20%3Ccyril.jaquier@fail2ban.org%3E Cyril Jaquier]
 
   
 
   
Fail2Ban scans log files like /var/log/pwdfail and bans IP
+
== Thanks ==
that makes too many password failures. It updates firewall
+
'''Kévin Drapel''', '''Marvin Rouge''', '''Sireyessire''', '''Robert Edeker''', '''Tom Pike''', '''Iain Lea''', '''Andrey G. Grozin''', '''Yaroslav Halchenko''', '''Jonathan Kamens''', '''Stephen Gildea''', '''Markus Hoffmann''', '''Mark Edgington''', '''Patrick Börjesson''', '''kojiro''', '''zugeschmiert''', '''Tyler''', '''Nick Munger''', '''Christoph Haas''', '''Justin Shore''', '''Joël Bertrand''', '''René Berber''', '''mEDI''', '''Axel Thimm''',
rules to reject the IP address. These rules can be defined by
+
'''Eric Gerbier''',
the user. Fail2Ban can read multiple log files such as sshd
+
'''Christian Rauch''', '''Michael C.&nbsp;Haller''', '''Jonathan Underwood''', '''Hanno ‘Rince’ Wagner''',
or Apache web server ones.
+
'''Daniel B.&nbsp;Cid''', '''David Nutter''', '''Raphaël Marichez''', '''Guillaume Delvit''', '''Vaclav Misek''',
+
'''Adrien Clerc''', '''Michael Hanselmann''', '''Vincent Deffontaines''', '''Bill Heaton''', '''Russell Odom''', '''Christos Psonis''', '''Arturo ‘Buanzo’ Busleiman''' and many others.
This is my first Python program. Moreover, English is not my
+
 
mother tongue...
+
== License ==
+
<SMALL >[[Fail2Ban]] is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.</SMALL >
+
 
More details:
+
<SMALL >Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the [[COPYING|GNU General Public License]] for more details.</SMALL >
-------------
+
 
+
<SMALL >You should have received a copy of the GNU General Public License along with [[Fail2Ban]]; if not, write to the Free Software Foundation, Inc., 59&nbsp;Temple Place, Suite&nbsp;330, Boston, MA 02111&ndash;1307 USA</SMALL >
Fail2Ban is rather simple. I have a home server connected to
 
the Internet which runs apache, samba, sshd, and some other
 
services. I saw in my logs that people are trying to log into
 
my box using brute force, either "manually" or with scripts.
 
They have tried 10, 20 and sometimes more user/password
 
combinations, without success. In order to discourage these
 
script kiddies, I wanted sshd to refuse login from a specific
 
IP address after 3 password failures. After some Google
 
searches, I found that sshd was not able of that, so I
 
searched for a script or program that does it. I found
 
nothing. :-( So I decided to write my own, and to learn
 
Python. :-)
 
 
For each section defined in the configuration file, Fail2Ban
 
tries to find lines which match the failregex. Then it
 
retrieves the message time using timeregex and timepattern.
 
It finally gets the IP, and if that IP has already caused 3
 
or more password failures within the last banTime, it is
 
banned for banTime using a firewall rule. This rule is set
 
by the user in the configuration file; thus, Fail2Ban can be
 
adapted for many different firewalls. After banTime, the rule
 
is deleted. Notice that if no "plain" IP is available,
 
Fail2Ban tries to do a DNS lookup in order to find one or
 
several IP addresses to ban.
 
 
Sections can be freely added to the configuration file, so it
 
is possible to monitor several daemons at the same time.
 
 
Fail2Ban runs on my server and does its job rather well :-)
 
The idea is to make Fail2Ban usable with daemons and services
 
that require a login (sshd, telnetd, ...) and with different
 
firewalls.
 
 
Installation:
 
-------------
 
 
Requires: python-2.4 (http://www.python.org)
 
 
To install, just type:
 
 
> tar xvfj fail2ban-0.6.2.tar.bz2
 
> cd fail2ban-0.6.2
 
> python setup.py install
 
 
This will install Fail2Ban into /usr/lib/fail2ban. The
 
fail2ban executable is placed into /usr/bin.
 
 
Gentoo: ebuilds are available on the website.
 
Debian: Fail2Ban is in Debian unstable.
 
RedHat: packages are available on the website.
 
 
Fail2Ban should now be correctly installed. Just type:
 
 
> fail2ban -h
 
 
to see if everything is alright. You can configure fail2ban
 
with a config file. Different kind of configuration files are
 
available:
 
 
iptables:  copy config/fail2ban.conf.iptables to
 
            /etc/fail2ban.conf
 
hosts.deny: copy config/fail2ban.conf.hostsdeny to
 
            /etc/fail2ban.conf
 
shorewall:  copy config/fail2ban.conf.shorewall to
 
            /etc/fail2ban.conf
 
 
Do not forget to edit fail2ban.conf to meet your needs.
 
 
You can use the initd script available in config/. Copy
 
<dist>-initd to /etc/init.d/fail2ban. Gentoo users must copy
 
gentoo-confd to /etc/conf.d/fail2ban. You can start fail2ban:
 
 
> /etc/init.d/fail2ban start
 
 
Gentoo users can add it to the default runlevel:
 
 
> rc-update add fail2ban default
 
 
Configuration:
 
--------------
 
 
You can configure fail2ban using the file /etc/fail2ban.conf
 
or using command line options. Command line options override
 
the value stored in fail2ban.conf. Here are the command line
 
options:
 
 
  -b        start in background
 
  -c <FILE>  read configuration file FILE
 
  -p <FILE>  create PID lock in FILE
 
  -h        display this help message
 
  -i <IP(s)> IP(s) to ignore
 
  -k        kill a currently running instance
 
  -r <VALUE> allow a max of VALUE password failure [maxfailures]
 
  -t <TIME>  ban IP for TIME seconds [bantime]
 
  -f <TIME>  lifetime in seconds of failed entry [findtime]
 
  -v        verbose. Use twice for greater effect
 
  -V        print software version
 
 
Please note that a vulnerability (CVE-2006-6302) affects
 
version < 0.6.2. Since 0.6.2, a named group "host" was added
 
to "failregex". This group must match the host address. Old
 
configuration files will still work but will generate a
 
warning. In this case, please update your configuration file.
 
 
Contact:
 
--------
 
 
You need some new features, you found bugs or you just
 
appreciate this program, you can contact me at :
 
 
Website: http://fail2ban.sourceforge.net
 
 
Cyril Jaquier: <lostcontrol@users.sourceforge.net>
 
 
 
Thanks:
 
-------
 
 
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
 
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
 
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
 
Edgington, Patrick Börjesson, kojiro, zugeschmiert
 
 
License:
 
--------
 
 
Fail2Ban is free software; you can redistribute it
 
and/or modify it under the terms of the GNU General Public
 
License as published by the Free Software Foundation; either
 
version 2 of the License, or (at your option) any later
 
version.
 
 
Fail2Ban is distributed in the hope that it will be
 
useful, but WITHOUT ANY WARRANTY; without even the implied
 
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 
PURPOSE. See the GNU General Public License for more
 
details.
 
 
You should have received a copy of the GNU General Public
 
License along with Fail2Ban; if not, write to the Free
 
Software Foundation, Inc., 59 Temple Place, Suite 330,
 
Boston, MA 02111-1307 USA
 

Latest revision as of 19:06, 28 September 2011

                        __      _ _ ___ _               
                       / _|__ _(_) |_  ) |__  __ _ _ _  
                      |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                      |_| \__,_|_|_/___|_.__/\__,_|_||_|
  • Fail2Ban (version 0.8.4) 2009/09/07

Fail2Ban scans log files like [file:///var/log/pwdfail pwdfail] and bans IP addresses that make too many password failures.  It updates firewall rules to reject the IP address.  These rules can be defined by the user.  Fail2Ban can read multiple log files such as sshd or Apache Web server ones. This README is a quick introduction to Fail2Ban.  More documentation, FAQ, HOWTOs are available on the project website.

Installation

Required
python ≥ 2.3
Optional
gamin ≥ 0.0.21

To install, just do: 

tar xvfj fail2ban-0.8.5.tar.bz2
cd fail2ban-0.8.5
python setup.py install

This will install [file:///usr/share/fail2ban Fail2Ban]. The executable scripts are placed into file:///usr/bin.

  • It is possible that Fail2Ban is already packaged for your distribution. In this case, you should use it.

Fail2Ban should be correctly installed now. Just type: 

fail2ban-client -h

to see if everything is all right.  You should always use fail2ban-client and never call fail2ban-server directly.

Configuration

You can configure Fail2Ban using the [file:///etc/fail2ban configuration files].  It is possible to configure the server using commands sent to it by fail2ban-client.  The available commands are described in the [man:/fail2ban-client manual page].  Please refer to it or to the website.

Contact

If you need some new features, you found bugs or you just appreciate this program, you can contact me at:

Thanks

Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko, Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand, René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch, Michael C. Haller, Jonathan Underwood, Hanno ‘Rince’ Wagner, Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann, Vincent Deffontaines, Bill Heaton, Russell Odom, Christos Psonis, Arturo ‘Buanzo’ Busleiman and many others.

License

Fail2Ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111–1307 USA

Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=Fail2Ban&oldid=4095"