From Fedora Project Wiki

No edit summary
(Add information on systemd package for logging, which is not installed by default when installing fail2ban.)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[http://en.wikipedia.org/wiki/Fail2ban Fail2ban] is a service that monitors logfiles to detect potential intrusion attempts and places bans using a variety of methods. In Fedora 20, the default firewall service [[FirewallD]] can be used as a ban action.
[http://en.wikipedia.org/wiki/Fail2ban Fail2ban] is a service that monitors logfiles to detect potential intrusion attempts and places bans using a variety of methods. In Fedora and EL7, the default firewall service [[FirewallD]] can be used as a ban action.


==Setup==
==Setup==
First, install Fail2ban and requirements for utilizing FirewallD (This tutorial requires Fail2ban 0.9.0 or higher):
First, install Fail2ban and requirements for utilizing FirewallD:
  sudo yum install fail2ban ipset
  sudo dnf install fail2ban


If you wish to have Fail2ban send mail notifications, install these packages as well (sendmail can be used instead of postfix):
The fail2ban package is a meta-package that will bring in fail2ban-server (the main fail2ban component) as well as fail2ban-firewalld (which configures fail2ban to use firewalld) and fail2ban-sendmail (which allows fail2ban to send email notifications). If you do not want to install fail2ban-sendmail, you can install just fail2ban-firewalld.
  sudo yum install postfix whois fail2ban-sendmail


If you did not already have postfix (or sendmail) set up, you must enable the service:
If you did not already have postfix (or sendmail) set up, you must enable the service:
Line 13: Line 12:


==Configuration==
==Configuration==
Fail2ban is configured by the file /etc/fail2ban/jail.conf, but you should not modify this file directly. Instead, create a local configuration file at /etc/fail2ban/jail.local. Here is an example jail.local that will send an email to root when IPs are banned:
Fail2ban is configured primarily by the file /etc/fail2ban/jail.conf, but you should not modify this file directly. Instead, create a local configuration file at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf. Here is an example jail.local that will send an email to root when IPs are banned:


  [DEFAULT]
  [DEFAULT]
  bantime = 3600
  bantime = 3600
banaction = firewallcmd-ipset
backend = systemd
  sender = fail2ban@example.com
  sender = fail2ban@example.com
  destemail = root
  destemail = root
Line 28: Line 25:
===bantime===
===bantime===
Default time in seconds to ban the possible intruder. Common values are 3600 (1 hour) or 86400 (1 day).
Default time in seconds to ban the possible intruder. Common values are 3600 (1 hour) or 86400 (1 day).
===banaction===
Configures Fail2ban to use FirewallD as the default ban action.
===backend===
Configures Fail2ban to use SystemD to monitor logfiles. If you are not using SystemD for logging, you can leave out this option.


===sender===
===sender===
Line 46: Line 37:
===Jails===
===Jails===
By enabling the sshd jail, fail2ban will monitor ssh connection attempts for IPs to ban. There are many other jails you can enable as well, such as apache-auth to monitor the HTTPD error log for authentication failures, and jails for authentication to various FTP, IMAP, SMTP and database servers. See /etc/fail2ban/jail.conf for a full list of defined jails, or define your own.
By enabling the sshd jail, fail2ban will monitor ssh connection attempts for IPs to ban. There are many other jails you can enable as well, such as apache-auth to monitor the HTTPD error log for authentication failures, and jails for authentication to various FTP, IMAP, SMTP and database servers. See /etc/fail2ban/jail.conf for a full list of defined jails, or define your own.
=== fail2ban-firewalld ===
This installs /etc/fail2ban/jail.d/00-firewalld.conf containing:
[DEFAULT]
banaction = firewallcmd-ipset
Which configures fail2ban to block hosts via firewalld.
== fail2ban-systemd ==
When trying to start fail2ban with systemd'd journald as the primary logging you may see this error
ERROR  No file(s) found for glob /var/log/secure
ERROR  Failed during configuration: Have not found any log file for sshd jail
To resolve this package installs /etc/fail2ban/jail.d/00-systemd.conf containing:
[DEFAULT]
backend=systemd
Which configures fail2ban to log via systemd's journald.


==Running the service==
==Running the service==

Latest revision as of 04:45, 23 June 2016

Fail2ban is a service that monitors logfiles to detect potential intrusion attempts and places bans using a variety of methods. In Fedora and EL7, the default firewall service FirewallD can be used as a ban action.

Setup

First, install Fail2ban and requirements for utilizing FirewallD:

sudo dnf install fail2ban

The fail2ban package is a meta-package that will bring in fail2ban-server (the main fail2ban component) as well as fail2ban-firewalld (which configures fail2ban to use firewalld) and fail2ban-sendmail (which allows fail2ban to send email notifications). If you do not want to install fail2ban-sendmail, you can install just fail2ban-firewalld.

If you did not already have postfix (or sendmail) set up, you must enable the service:

sudo systemctl enable postfix
sudo systemctl start postfix

Configuration

Fail2ban is configured primarily by the file /etc/fail2ban/jail.conf, but you should not modify this file directly. Instead, create a local configuration file at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf. Here is an example jail.local that will send an email to root when IPs are banned:

[DEFAULT]
bantime = 3600
sender = fail2ban@example.com
destemail = root
action = %(action_mwl)s

[sshd]
enabled = true

bantime

Default time in seconds to ban the possible intruder. Common values are 3600 (1 hour) or 86400 (1 day).

sender

Default "sender" email address when sending mail notifications of Fail2ban actions.

destemail

Destination email address for mail notifications.

action

Action to take when a possible intruder is detected. Default is %(action_)s which will only ban the IP. With %(action_mwl)s it will ban the IP and send a mail notification including whois data and log entries. See comments in /etc/fail2ban/jail.conf for more information.

Jails

By enabling the sshd jail, fail2ban will monitor ssh connection attempts for IPs to ban. There are many other jails you can enable as well, such as apache-auth to monitor the HTTPD error log for authentication failures, and jails for authentication to various FTP, IMAP, SMTP and database servers. See /etc/fail2ban/jail.conf for a full list of defined jails, or define your own.

fail2ban-firewalld

This installs /etc/fail2ban/jail.d/00-firewalld.conf containing:

[DEFAULT]
banaction = firewallcmd-ipset

Which configures fail2ban to block hosts via firewalld.

fail2ban-systemd

When trying to start fail2ban with systemd'd journald as the primary logging you may see this error

ERROR  No file(s) found for glob /var/log/secure
ERROR  Failed during configuration: Have not found any log file for sshd jail

To resolve this package installs /etc/fail2ban/jail.d/00-systemd.conf containing:

[DEFAULT]
backend=systemd

Which configures fail2ban to log via systemd's journald.

Running the service

Once configured, start the service:

sudo systemctl start fail2ban

And enable it to run on system startup:

sudo systemctl enable fail2ban

Check the status:

systemctl status fail2ban

Check the log file:

sudo tail /var/log/fail2ban.log