Wednesday, February 11, 2009

Fail2ban Installation guide :Prevent automated SSH attacks

Reference: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

##Manual Installation

# Download Fail2ban from http://www.fail2ban.org/wiki/index.php/Downloads

cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2

tar jxvf fail2ban-0.8.3.tar.bz2
rm -rf /tmp/fail2ban-0.8.3.tar.bz2
cd fail2ban-0.8.3

./setup.py install

cd /tmp/fail2ban-0.8.3/files

cp -a redhat-initd /etc/init.d/fail2ban

cd /etc/init.d/

chown root.root fail2ban

chmod 755 fail2ban

/sbin/chkconfig --add fail2ban

/sbin/chkconfig fail2ban on

cd /etc/fail2ban

cp -a jail.conf jail.conf.orig

vi /etc/fail2ban/jail.conf

Edit values as follows
##########
# Put space separated list of IPs you want to ignore
ignoreip = x.x.x.x



[[ssh-iptables]

#enabled = false
enabled = true
filter = sshd
#action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@yourdomain.com, sender=fail2ban@mail.com]
#logpath = /var/log/sshd.log
logpath = /var/log/secure
#maxretry = 5
maxretry = 3

############

Edit Shorewall configuration (if you are using one as follow)

vi /etc/shorewall/shorewall.conf
#########
#BLACKLISTNEWONLY=Yes
BLACKLISTNEWONLY=No
##########

cd /etc/fail2ban

chown root.root fail2ban.conf
chmod 644 fail2ban.conf

# Log rotation of Fail2ban Logs

cd /etc/logrotate.d

vi fail2ban

###
/var/log/fail2ban.log {
missingok
notifempty
copytruncate
}
###

chown root.root fail2ban
chmod 644 fail2ban

/etc/rc.d/init.d/fail2ban start

# Check fail2ban.log for any errors

tail -f /var/log/fail2ban.log

rm -rf /tmp/fail2ban-0.8.3

No comments: