Find the answer to your Linux question:
Results 1 to 2 of 2
Hi all, i've tried to install and configure fail2ban on centos and ubuntu. Seems like fail2ban ran with no problems on ubuntu and was able to block failed login attempts ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2007
    Location
    somewhere in south east asia
    Posts
    1

    Configuring fail2ban on centos


    Hi all, i've tried to install and configure fail2ban on centos and ubuntu. Seems like fail2ban ran with no problems on ubuntu and was able to block failed login attempts but on centos, fail2ban ran but with no effect; meaning, user was able to log in using the same ip again and again eventho the limit was clearly set to 3 times.

    Anyway, i would be grateful if anyone could help me with this. Thanks. Here's the config files thats been configured in centos fail2ban.

    # Fail2Ban configuration file
    #
    # $Revision: 484 $
    #
    # 2005.06.21 modified for readability Iain Lea iain@bricbrac.de

    [DEFAULT]
    # Option: background
    # Notes.: start fail2ban as a daemon. Output is redirect to logfile.
    # Values: [true | false] Default: false
    #
    background = true

    # Option: locale
    # Notes.: global (cannot be redefined per section) locale to use for
    # timestamp pattern matching by changing LC_TIME for
    # fail2ban process. Empty entry sets locale to default one
    # (usually specified by LC_ALL environment variable).
    # Values: LOCALE Default:
    #
    locale =

    # Option: logtargets
    # Notes.: log targets. Space separated list of logging targets.
    # Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
    #
    logtargets = /var/log/fail2ban.log

    # Option: syslog-target
    # Notes.: where to find syslog facility if logtarget SYSLOG.
    # Values: SOCKET HOST HOST:PORT Default: /dev/log
    #
    syslog-target = /dev/log

    # Option: syslog-facility
    # Notes.: which syslog facility to use if logtarget SYSLOG.
    # Values: NUM Default: 1
    #
    syslog-facility = 1

    # Option: pidlock
    # Notes.: path of the PID lock file (must be able to write to file).
    # Values: FILE Default: /var/run/fail2ban.pid
    #
    pidlock = /var/run/fail2ban.pid

    # Option: maxfailures
    # Notes.: number of failures before IP gets banned.
    # Values: NUM Default: 5
    #
    maxfailures = 3

    # Option: bantime
    # Notes.: number of seconds an IP will be banned. If set to a negative
    # value, IP will never be unbanned (permanent banning).
    # Values: NUM Default: 600
    #
    bantime = 600

    # Option: findtime
    # Notes.: lifetime in seconds of a "failed" log entry.
    # Values: NUM Default: 600
    #
    findtime = 600

    # Option: ignoreip
    # Notes.: space separated list of IP's to be ignored by fail2ban.
    # You can use CIDR mask in order to specify a range.
    # Example: ignoreip = 192.168.0.1/24 123.45.235.65
    # Values: IP Default:
    #
    ignoreip =

    # Option: cmdstart
    # Notes.: command executed once at the start of Fail2Ban
    # Values: CMD Default:
    #
    cmdstart =

    # Option: cmdend
    # Notes.: command executed once at the end of Fail2Ban.
    # Values: CMD Default:
    #
    cmdend =

    # Option: polltime
    # Notes.: number of seconds fail2ban sleeps between iterations.
    # Values: NUM Default: 1
    #
    polltime = 1

    # Option: reinittime
    # Notes.: minimal number of seconds between the re-initialization of
    # firewalls due to external changes in their rules (see fwcheck)
    # Values: NUM Default: 100
    #
    reinittime = 10

    # Option: maxreinits
    # Notes.: maximal number of re-initialization of firewalls due to external
    # changes. -1 stays for infinite, so only reinittime is of importance
    # Values: NUM Default: -1
    #
    maxreinits = -1

    # NOTE: Interpolations
    #
    # fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
    # so %(__name__)s will be substituted by a name of each section
    # (unless the option is overriden in a section).
    # If you are going to use interpolations in your setup, please make
    # sure that you specified options port and protocol (which also has
    # an option in DEFAULT).
    #

    # Option: protocol
    # Notes.: internally used by config reader for interpolations.
    # Values: [ tcp | udp | icmp | all ] Default: tcp
    #
    protocol = tcp

    # Option: fwstart
    # Notes.: command executed once at the start of Fail2Ban.
    # Values: CMD Default:
    #
    fwstart = iptables -N fail2ban-%(__name__)s
    iptables -A fail2ban-%(__name__)s -j RETURN
    iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s

    # Option: fwend
    # Notes.: command executed once at the end of Fail2Ban
    # Values: CMD Default:
    #
    fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
    iptables -F fail2ban-%(__name__)s
    iptables -X fail2ban-%(__name__)s

    # Option: fwcheck
    # Notes.: command executed once before each fwban command
    # Values: CMD Default:
    #
    fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s

    # Option: fwban
    # Notes.: command executed when banning an IP. Take care that the
    # command is executed with Fail2Ban user rights.
    # Tags: <ip> IP address
    # <failures> number of failures
    # <failtime> unix timestamp of the last failure
    # <bantime> unix timestamp of the ban time
    # Values: CMD
    # Default: iptables -I INPUT 1 -s <ip> -j DROP
    #
    fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP

    # Option: fwunban
    # Notes.: command executed when unbanning an IP. Take care that the
    # command is executed with Fail2Ban user rights.
    # Tags: <ip> IP address
    # <bantime> unix timestamp of the ban time
    # <unbantime> unix timestamp of the unban time
    # Values: CMD
    # Default: iptables -D INPUT -s <ip> -j DROP
    #
    fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP

    [MAIL]
    # Option: enabled
    # Notes.: enable mail notification when banning an IP address.
    # Values: [true | false] Default: false
    #
    enabled = true

    # Option: host
    # Notes.: host running the mail server.
    # Values: STR Default: localhost
    #
    host = webmail.gen-x.com.my

    # Option: port
    # Notes.: port of the mail server.
    # Values: INT Default: 25
    #
    port = 25

    # Option: user
    # Notes.: the username for smtp-server if authentification is required.
    # if user is empty, no authentification is done.
    # Values: STR Default:
    #
    user = xx@gxx-x.cxx.mx

    # Option: password
    # Notes.: the smtp-user's password if authentification is required.
    # Values: STR Default:
    #
    password = xxxxxxxxxxxx

    # Option: from
    # Notes.: e-mail address of the sender.
    # Values: MAIL Default: fail2ban
    #
    from = fail2ban

    # Option: to
    # Notes.: e-mail addresses of the receiver. Addresses are space
    # separated.
    # Values: MAIL Default: root
    #
    to = vx@gxxx.cxxm.xx

    # Option: localtime
    # Notes.: report local time (including timezone) or GMT
    # Values: [true | false] Default: false
    #
    localtime = true

    # Option: subject
    # Notes.: subject of the e-mail.
    # Tags: <section> active section (eg ssh, apache, etc)
    # <ip> IP address
    # <failures> number of failures
    # <failtime> unix timestamp of the last failure
    # Values: TEXT Default: [Fail2Ban] <section>: Banned <ip>
    #
    subject = [Fail2Ban] <section>: Banned <ip>

    # Option: message
    # Notes.: message of the e-mail.
    # Tags: <section> active section (eg ssh, apache, etc)
    # <ip> IP address
    # <failures> number of failures
    # <failtime> unix timestamp of the last failure
    # <br> new line
    # Values: TEXT Default:
    #
    message = Hi,<br>
    The IP <ip> has just been banned by Fail2Ban after
    <failures> attempts against <section>.<br>
    Regards,<br>
    Fail2Ban

    # You can define a new section for each log file to check for
    # password failure. Each section has to define the following
    # options: logfile, fwban, fwunban, timeregex, timepattern,
    # failregex.


    [Apache]
    # Option: enabled
    # Notes.: enable monitoring for this section.
    # Values: [true | false] Default: false
    #
    enabled = false

    # Option: logfile
    # Notes.: logfile to monitor.
    # Values: FILE Default: /var/log/httpd/access_log
    #
    logfile = /var/log/httpd/access_log

    # Option: port
    # Notes.: specifies port to monitor
    # Values: [ NUM | STRING ] Default:
    #
    port = http

    # Option: timeregex
    # Notes.: regex to match timestamp in Apache logfile. For TAI64N format,
    # use timeregex = @[0-9a-f]{24}
    # Values: [Wed Jan 05 15:08:01 2005]
    # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
    #
    timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}

    # Option: timepattern
    # Notes.: format used in "timeregex" fields definition. Note that '%' must be
    # escaped with '%' (see Python 2.3 Quick Reference).
    # For TAI64N format, use timepattern = tai64n
    # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
    #
    timepattern = %%a %%b %%d %%H:%%M:%%S %%Y

    # Option: failregex
    # Notes.: regex to match the password failure messages in the logfile.
    # Values: TEXT Default: authentication failure|user .* not found
    #
    failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)


    [VSFTPD]
    # Option: enabled
    # Notes.: enable monitoring for this section.
    # Values: [true | false] Default: false
    #
    enabled = true

    # Option: logfile
    # Notes.: logfile to monitor.
    # Values: FILE Default: /var/log/secure
    #
    logfile = /var/log/secure.log

    # Option: port
    # Notes.: specifies port to monitor
    # Values: [ NUM | STRING ] Default:
    #
    port = ftp

    # Option: timeregex
    # Notes.: regex to match timestamp in VSFTPD logfile.
    # Values: [Mar 7 17:53:28]
    # Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
    #
    timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

    # Option: timepattern
    # Notes.: format used in "timeregex" fields definition. Note that '%' must be
    # escaped with '%' (see Python 2.3 Quick Reference)
    # Values: TEXT Default: %%b %%d %%H:%%M:%%S
    #
    timepattern = %%b %%d %%H:%%M:%%S

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT Default: Authentication failure|Failed password|Invalid user
    #
    failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)


    [SSH]
    # Option: enabled
    # Notes.: enable monitoring for this section.
    # Values: [true | false] Default: true
    #
    enabled = false

    # Option: logfile
    # Notes.: logfile to monitor.
    # Values: FILE Default: /var/log/secure
    #
    logfile = /var/log/secure

    # Option: port
    # Notes.: specifies port to monitor
    # Values: [ NUM | STRING ] Default:
    #
    port = ssh

    # Option: timeregex
    # Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
    # use timeregex = @[0-9a-f]{24}
    # Values: [Mar 7 17:53:28]
    # Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
    #
    timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

    # Option: timepattern
    # Notes.: format used in "timeregex" fields definition. Note that '%' must be
    # escaped with '%' (see Python 2.3 Quick Reference).
    # For TAI64N format, use timepattern = tai64n
    # Values: TEXT Default: %%b %%d %%H:%%M:%%S
    #
    timepattern = %%b %%d %%H:%%M:%%S

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT Default: Authentication failure|Failed password|Invalid user
    #
    failregex = : (?Sad?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}?(?P<host>\S*)

    The version of the fail2ban is 0.6.1 and i installed it on centos 5 and ubuntu feisty fawn.Thanks

  2. #2
    Just Joined!
    Join Date
    Sep 2008
    Posts
    1
    Sorry if this has already been responded to.

    But you need to check the location of your log files. RedHat/CentOS and the other Linux systems move where the log files located.

    be sure check the logs to make sure they exist. and the item that drives me nuts is when it is log or logs.

    Cheers!

    P.S. Much newer version of this tool exists. so make sure you have 0.8 something 0.8.3 is current stable version.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •