Install and Configure Fail2Ban on Centos | RedHat

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Steps
===========================================
1. wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2

2. tar -xjvf fail2ban-0.8.1.tar.bz2

3. cd fail2ban-0.8.1

4. python setup.py install

5. vi /etc/fail2ban/jail.conf

Enable only the sections you need and do them one at a time. We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.

Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients!

ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

Startup

cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
service fail2ban start

Tools

Show failed SSH logins by date:

cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
Search for correct log file:

grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log

This should match Postfix bans:

grep rejected /var/log/maillog

Configuration

Adjust the following sample configuration files to your needs.

# Fail2Ban jail.local configuration file
################################################
# www.sonoracomm.com
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# ignore our IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# Don't know how well other backend options work.
backend = polling

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=
fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/secure
maxretry = 3

[postfix]

enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest=fail2ban@sonoracomm.com, sender=
www@sonoracomm.com]
logpath = /var/log/maillog
maxretry = 5

# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

failregex = reject: RCPT from (.*)\[\]: 554
reject: RCPT from (.*)\[\]: 550
reject: RCPT from (.*)\[\]: 450

ignoreregex =

# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.sonoracomm.com
#
[Definition]

actionstart = echo -en "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actionstop = echo -en "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actioncheck =

actionban = echo -en "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/dig -x `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f

actionunban =

[Init]
name = default
dest = root
sender = fail2ban
===========================================================

How to install and use Clam Antivirus in Linux(RPM Based)

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.

Steps for installation

1. groupadd clamav

2. useradd -g clamav clamav

3. mkdir /var/clamav 

4. chown clamav:root /var/clamav
 
5. mkdir /var/log/clamav/
 
6. chown clamav:root /var/log/clamav/
 
7. mkdir /usr/local/share/clamav
 
8. chown clamav:clamav /usr/local/share/clamav

9. wget http://dl.sourceforge.net/sourceforge/clamav/clamav-0.93.3.tar.gz

10. tar xzvf clamav-0.93.3.tar.gz

11. cd clamav-0.93.3
 
12. ./configure –disable-clamuko –enable-milter –with-dbdir=/usr/local/share/clamav

13. Basically, on distributions Red Hat based, when trying to compile clamav we see an error from incompatibility with zlib. You have the choise to install both zlib and zlib-devel packages with

 yum install zlib zlib-devel

If there are erros, like configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with –disable-zlib-vcheck but DO NOT REPORT any stability issues then!
 we write the command:

14.yum update zlib zlib-devel

15.The chance to get error still exist so it is safe to run:

   ./configure –disable-clamuko –enable-milter –with-dbdir=/usr/local /share/clamav –disable-zlib-vcheck

After we run, for both cases:

16. make

17. make install

18.We need a file named clamav.conf. We edit it in /etc:

vi /etc/clamav.conf

Write the following lines:

 #/etc/clamav.conf 

LogTime
LogSyslog
LogFile /var/log/clam/clamd.log
PidFile /var/run/clam/clamd.pid
LocalSocket /var/run/clam/clamd.sock
FixStaleSocket
MaxThreads 50
ThreadTimeout 600
MaxDirectoryRecursion 15
FollowFileSymlinks
SelfCheck 600
User clamav
ScanMail
ScanArchive
ArchiveMaxFileSize 10M 

ArchiveMaxRecursion 5
ArchiveMaxFiles 1000

Save and close the file.

19. Now tell your startup script to load the ClamAV daemon:

echo “/usr/local/sbin/clamd” >> /etc/rc.d/rc.local 

echo “/usr/local/sbin/clamav-milter -l -o -q /var/milter/clmilter.sock” >> /etc/rc.d/rc.local

20. cp /etc/clamav.conf /usr/local/etc/
 

21. touch /var/log/clam-update.log

22. chown clamav:clamav /var/log/clam-update.log
 

23. touch /tmp/clamd.log

24. chown clamav:root /tmp/clamd.log

25. mkdir /var/milter

26. chown clamav:root /var/milter/

27. cd /usr/local/etc/

We can modify some configuration files in the directory /etc:

28. cd /etc

29. wget ftp://ftp.ro-design.net/pub/clamd.conf

30. wget ftp://ftp.ro-design.net/pub/freshclam.conf

31. mkdir /var/lib/clamav

32. chown clamav:root /var/lib/clamav/  /usr/local/bin/freshclam -l /var/log/clam-update.log

33. cp /usr/local/sbin/clamd /etc/init.d/
 

34./etc/init.d/clamd restart

Usage

  
clamscan -irv your desired location

 Eg: clamscan -irv /home

If you need scan results into a file, try this command

clamscan -irv location > file name

Eg: clamscan -irv /home > scan.log