Install and Configure Fail2Ban on Centos | RedHat

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Steps
===========================================
1. wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2

2. tar -xjvf fail2ban-0.8.1.tar.bz2

3. cd fail2ban-0.8.1

4. python setup.py install

5. vi /etc/fail2ban/jail.conf

Enable only the sections you need and do them one at a time. We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.

Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients!

ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

Startup

cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
service fail2ban start

Tools

Show failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
Search for correct log file:

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

Configuration

Adjust the following sample configuration files to your needs.

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# ignore our IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=
fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/secure
maxretry = 3

[postfix]

enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest=fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[\]: 554
reject: RCPT from (.*)\[\]: 550
reject: RCPT from (.*)\[\]: 450

ignoreregex =

# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actionstop = echo -en "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actioncheck =

actionban = echo -en "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/dig -x `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actionunban =

[Init]
name = default
dest = root
sender = fail2ban
===========================================================