Hinweis
Dieses Howto wurde für Debian Etch geschrieben.
Installation
apt-get install fail2ban
Konfiguration anpassen
/etc/fail2ban/jail.local
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5
Restart von fail2ban
/etc/init.d/fail2ban restart
Ergebnis kontrollieren
iptables -L -n
Ergebnis:
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 fail2ban-courierimap tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 fail2ban-courierpop3 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimap (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-courierpop3 (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-sasl (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0
Test
Loggen Sie sich einfach mit einem vorhandenen Benutzer und falschen Passwort 5 mal an. Dann sollte Ihre IP-Adresse für 5 Minuten blockiert sein.
Es sollte nur der Dienst gesperrt werden der betroffen ist.
Iptables:
Chain fail2ban-courierimap (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-courierpop3 (1 references) target prot opt source destination DROP 0 -- 62.158.111.222 0.0.0.0/0 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-sasl (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0
Logeintrag:
Rechner wurde gesperrt:
2007-07-11 21:41:49,063 fail2ban.actions: WARNING [courierpop3] Ban 62.158.111.222
Rechner wurde entsperrt:
2007-07-11 21:51:49,324 fail2ban.actions: WARNING [courierpop3] Unban 62.158.111.222