fail2ban - HackMD

--- tags: ccdc, NCCDC2019 --- # fail2ban ## Installation ### Cent OS / Fedora / Red Hat ``` bash # If EPEL not already enabled run: sudo yum install epel-release # Once enabled: sudo yum install fail2ban sudo systemctl enable fail2ban ``` ### Ubuntu / Debian ``` bash sudo apt install fail2ban ``` ## SSH > Conf file: /etc/fail2ban/jail.local ``` bash # Edit conf file (use avialable editor vi,nano,vim,emacs) <Likely a new file> sudo nano /etc/fail2ban/jail.local ``` > Create or modify configuration to include ``` conf [DEFAULT] # Ban hosts for 10 minutes: bantime = 600 # Use iptables to block banned addresses: banaction = iptables-multiport [sshd] # Enable ssh enabled = true #port = 65534 # add line if ssh is running on a non-standard port # Ban on five failed in one minute: findtime = 60 maxretry = 5 ``` > Save File and Restart fail2ban ``` bash sudo systemctl restart fail2ban # or sudo service fail2ban restart ``` ## Apache (dir scans) > Create the simple filter: ``` bash sudo nano /etc/fail2ban/filter.d/http-404-filter.conf ``` > Add the lines: ``` conf [INCLUDES] before = apache-common.conf [Definition] # Be sure this will match the 404 line in your access logs failregex = ^<HOST> - - .* 404 .* # Regex for post floods # failregex = ^<HOST>.*"POST .*HTTP.* ignoreregex = .*(robots.txt|favicon.ico|jpg|png) ``` > Edit your jail conf: ``` bash # Edit conf file (use avialable editor vi,nano,vim,emacs) <Likely a new file> sudo nano /etc/fail2ban/jail.local ``` > Ensure it contains the lines ``` conf [DEFAULT] # Ban hosts for 10 minutes: bantime = 600 # Use iptables to block banned addresses: banaction = iptables-multiport [http-404-filter] enabled = true port = http,https filter = http-404-filter # Change to the path of your access log logpath = /var/log/apache2/access.log # Ban after 15 404s in 1 minute maxretry = 15 findtime = 60 ``` > Reload the config file: ``` bash sudo fail2ban-client reload ``` ## Monitor > Tip: use `watch` command to monitor any of the following commands ### Monitor fail2ban overall ``` bash sudo fail2ban-client status ``` ### Monitor fail2ban ssh jail ``` bash sudo fail2ban-client status sshd ``` ## References https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7