Resources.DocsTutFail2ban HistoryHide minor edits - Show changes to output April 24, 2013, at 07:52 PM
by
- Changed lines 1-178 from:
Fail2ban is a daemon that you can install to control the intrusion attempts to your systems, we can adapt it to ban attackers after they have tried to login with wrong authentication credentials. [+Opensips configuration+] To make opensips work with fail2ban, you will have to send the logs to a different file than /var/log/syslog Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL7@] And from: [@ if (!www_authorize("", "subscriber")) { www_challenge("", "0"); exit; }@] To: [@ $var(auth_code) = www_authorize("", "subscriber"); if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)"); } if ( $var(auth_code) < 0 ) { www_challenge("", "0"); exit; } @] [+rsyslog configuration+] Add to /etc/rsyslog.conf [@ local7.* /var/log/opensips.log @] [+Fail2ban configuration+] Install fail2ban [@ apt-get install fail2ban @] Add to the end of /etc/fail2ban/jail.conf this content: [@ [opensips] enabled = true filter = opensips action = iptables-allports[name=opensips, protocol=all] sendmail-whois[name=opensips, dest=destination@example.com, sender=source@example.com] logpath = /var/log/opensips.log maxretry = 5 bantime = 3600 @] Create a file in /etc/fail2ban/filter.d/opensips.conf with the content: [@ # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = opensips # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = Auth error for .* from <HOST> cause -[0-9] # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = @] Restart fail2ban [@ /etc/init.d/fail2ban restart @] [+opensips and rsyslog configuration notes for CentOS6+] NOTE: Use process above, but with some notes here LOCAL7 is in use by boot logging on CentOS 6, so use LOCAL6 instead. in /usr/local/etc/openssips.conf Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL6@] Add this to /etc/rsyslog.conf (near the bottom): [@ # logging facility for opensips local6.* /var/log/opensips.log @] [+Fail2ban Installation and Configuration notes for CentOS6+] NOTE: Use process above, but with some notes here Follow instructions for installation here : http://www.fail2ban.org/wiki/index.php/README Download the latest fail2ban package from : http://sourceforge.net/projects/fail2ban/files/ Run these commands: [@tar xvfj fail2ban-0.8.4.tar.bz2 cd fail2ban-0.8.4 python setup.py install@] Edit configuration files /etc/fail2ban/jail.confand /etc/fail2ban/filter.d/opensips.conf as documented in the section above. To get startup / init.d script in place on CentOS6, copy the file named redhat-initd from the files folder inside fail2ban-0.8.4 directory to /etc/init.d with the command below. [@# cp redhat-initd /etc/init.d/fail2ban @] Ensure you check the owner and permissions of the copied file and then test the script: [@# /etc/init.d/fail2ban Usage: /etc/init.d/fail2ban {start|stop|status|restart} # /etc/init.d/fail2ban status Fail2ban (pid 8323) is running... Status |- Number of jail: 0 `- Jail list: # /etc/init.d/fail2ban stop Stopping fail2ban: [ OK ] # ps -ef | grep fail root 8399 8235 0 13:10 pts/0 00:00:00 grep fail # /etc/init.d/fail2ban start Starting fail2ban: [ OK ] # /etc/init.d/fail2ban restart Stopping fail2ban: [ OK ] Starting fail2ban: [ OK ] # @] To ensure that fail2ban starts at startup: [@# chkconfig --list fail2ban service fail2ban supports chkconfig, but is not referenced in any runlevel (run 'chkconfig --add fail2ban') # chkconfig --add fail2ban # chkconfig --list fail2ban fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off # chkconfig fail2ban on # chkconfig --list fail2ban fail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off # @] to:
(:redirect Documentation.Tutorials-Fail2Ban quiet=1 :) September 23, 2011, at 06:49 PM
by
- Deleted lines 40-65:
[+CentOS6 notes for opensips and rsyslog configuration+] LOCAL7 is used on CentOS 6, so use LOCAL6 instead. in /usr/local/etc/openssips.conf Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL6@] Add this to /etc/rsyslog.conf (near the bottom): [@ # logging facility for opensips local6.* /var/log/opensips.log @] Changed lines 102-104 from:
[+Fail2ban Installation and Configuration on CentOS6+] to:
[+opensips and rsyslog configuration notes for CentOS6+] NOTE: Use process above, but with some notes here LOCAL7 is in use by boot logging on CentOS 6, so use LOCAL6 instead. in /usr/local/etc/openssips.conf Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL6@] Add this to /etc/rsyslog.conf (near the bottom): [@ # logging facility for opensips local6.* /var/log/opensips.log @] [+Fail2ban Installation and Configuration notes for CentOS6+] NOTE: Use process above, but with some notes here September 22, 2011, at 10:57 PM
by
- Changed line 129 from:
[+Fail2ban Installing and Configuration on CentOS6+] to:
[+Fail2ban Installation and Configuration on CentOS6+] September 22, 2011, at 10:26 PM
by
- Added line 33:
Added lines 43-66:
[+CentOS6 notes for opensips and rsyslog configuration+] LOCAL7 is used on CentOS 6, so use LOCAL6 instead. in /usr/local/etc/openssips.conf Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL6@] Add this to /etc/rsyslog.conf (near the bottom): [@ # logging facility for opensips local6.* /var/log/opensips.log @] Added lines 125-183:
[+Fail2ban Installing and Configuration on CentOS6+] Follow instructions for installation here : http://www.fail2ban.org/wiki/index.php/README Download the latest fail2ban package from : http://sourceforge.net/projects/fail2ban/files/ Run these commands: [@tar xvfj fail2ban-0.8.4.tar.bz2 cd fail2ban-0.8.4 python setup.py install@] Edit configuration files /etc/fail2ban/jail.confand /etc/fail2ban/filter.d/opensips.conf as documented in the section above. To get startup / init.d script in place on CentOS6, copy the file named redhat-initd from the files folder inside fail2ban-0.8.4 directory to /etc/init.d with the command below. [@# cp redhat-initd /etc/init.d/fail2ban @] Ensure you check the owner and permissions of the copied file and then test the script: [@# /etc/init.d/fail2ban Usage: /etc/init.d/fail2ban {start|stop|status|restart} # /etc/init.d/fail2ban status Fail2ban (pid 8323) is running... Status |- Number of jail: 0 `- Jail list: # /etc/init.d/fail2ban stop Stopping fail2ban: [ OK ] # ps -ef | grep fail root 8399 8235 0 13:10 pts/0 00:00:00 grep fail # /etc/init.d/fail2ban start Starting fail2ban: [ OK ] # /etc/init.d/fail2ban restart Stopping fail2ban: [ OK ] Starting fail2ban: [ OK ] # @] To ensure that fail2ban starts at startup: [@# chkconfig --list fail2ban service fail2ban supports chkconfig, but is not referenced in any runlevel (run 'chkconfig --add fail2ban') # chkconfig --add fail2ban # chkconfig --list fail2ban fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off # chkconfig fail2ban on # chkconfig --list fail2ban fail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off # @] September 01, 2010, at 01:08 PM
by
- Added lines 1-99:
Fail2ban is a daemon that you can install to control the intrusion attempts to your systems, we can adapt it to ban attackers after they have tried to login with wrong authentication credentials. [+Opensips configuration+] To make opensips work with fail2ban, you will have to send the logs to a different file than /var/log/syslog Change from: [@log_facility=LOG_LOCAL0@] To: [@log_facility=LOG_LOCAL7@] And from: [@ if (!www_authorize("", "subscriber")) { www_challenge("", "0"); exit; }@] To: [@ $var(auth_code) = www_authorize("", "subscriber"); if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)"); } if ( $var(auth_code) < 0 ) { www_challenge("", "0"); exit; } @] [+rsyslog configuration+] Add to /etc/rsyslog.conf [@ local7.* /var/log/opensips.log @] [+Fail2ban configuration+] Install fail2ban [@ apt-get install fail2ban @] Add to the end of /etc/fail2ban/jail.conf this content: [@ [opensips] enabled = true filter = opensips action = iptables-allports[name=opensips, protocol=all] sendmail-whois[name=opensips, dest=destination@example.com, sender=source@example.com] logpath = /var/log/opensips.log maxretry = 5 bantime = 3600 @] Create a file in /etc/fail2ban/filter.d/opensips.conf with the content: [@ # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = opensips # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = Auth error for .* from <HOST> cause -[0-9] # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = @] Restart fail2ban [@ /etc/init.d/fail2ban restart @] |