User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

In a previous article was described how to install Fail2Ban. Now on a regular basis you'll need to reboot your operating system to finish installing (security) updates. Without extra measures previously banned IP addresses are being lost. To make a ban permanent you'll need to create a new file:

sudo touch /etc/fail2ban/ip.blacklist

Edit the file /etc/fail2ban/action.d/iptables-multiport.conf and search for actionban and add the second line:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist

Now search for actionstart and add the fourth line:

actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | sort | uniq | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

Restart your service: sudo service fail2ban restart

Now you'll notice that IP's are being banned, and the ip.blacklist is getting filled with these IP addresses as well. When Fail2Ban service is restarted or your your system is restarted it will import all the IP's listed in the ip.blacklist.

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

In a previous article was the installation of Fail2Ban described. You'll notice after a few days Fail2Ban stops working. This happens right after logrotation, so it seems. To fix this you'll need to edit /etc/fail2ban/jail.local and change the following line:

#polling = auto
polling = backend

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Some people, including myself, experience that ProFTP is stopped regularly. It seems that this happens when log rotation is active.

In the system log you'll see errors like:

... ProFTPD killed (signal 15)
... ProFTPD 1.3.5rc3 standalone mode SHUTDOWN

The problem seems to be that ProFTPD doesn't stop in time to be restarted. It's simple to fix this error in "/etc/init.d/proftpd".
Search for start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"

And replace it with start-stop-daemon --stop --signal $SIGNAL --retry 1 --quiet --pidfile "$PIDFILE"

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Fail2Ban is a comprehensive tool for blocking possible unwanted traffic from bots/hackers to your server (or network). It's quiet easy to install and setup so here's a quick how to, assuming you've already set up sendmail for mail-relay, and are using locally ssh, ftp and openvpn for instance.

1. sudo apt-get install fail2ban

2. Set up a local configuration file for fail2ban by running "cp -ivra /etc/fail2ban/jail.conf /etc/fail2ban/jail.local" and open /etc/fail2ban/jail.local:

# Append / Modify

bantime = 3600
# forever:
# bantime = -1
ignoreip = 127.0.0.1/8 192.168.1.0/24
destemail = This email address is being protected from spambots. You need JavaScript enabled to view it.

# Email address of the sender
# This is not by default in place, by default fail2ban@<hostname>.<domain> is used which could lead into smtp unknown sender errors (550). Also note the sender="%(sender)s in action_mw.
sender = This email address is being protected from spambots. You need JavaScript enabled to view it.

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s", sender="%(sender)s"]

action = %(action_mw)s

 

# Append / Modify

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
#logpath = /var/log/syslog
/etc/openvpn/openvpn.log
maxretry = 3

[proftpd]
enabled = true

[ssh]
enabled = true

3. Create a file openvpn.conf in /etc/fail2ban/filter.d/ with the following contents:

# Fail2Ban Filter for OpenVPN
#

[INCLUDES]

before = common.conf

[Definition]
_daemon = openvpn

failregex = <HOST>:[0-9]{4,5} TLS Auth Error: Auth Username/Password verification failed for peer

ignoreregex =

4. Restart services: sudo service fail2ban restart

5. Eventually add "/var/log/fail2ban.log" to the logrotate in: /etc/logrotate.d/rsyslog

6. I've also added an email alias in sendmail for fail2ban@<hostname>.<domain>

Now you'll receive emails when someone gets banned. You can test this, when you want to remove the block use something like: "sudo fail2ban-client set openvpn unbanip 1.2.3.4"