Fail2Ban: Jails, filters, and time tricks

Submitted by Ron on Sat, 2011/11/26 - 00:01

Fail2Ban is a brilliant piece of IDS (Intrusion Detection Software) that I've got a crush on.

I've developed a couple "jails" -- rules for banning IP addresses.

First, a couple thoughts, tricks, and tips:

  • First, maxretry should probably be called maxattempts, as I don't want any retries on logging in as root via ssh.
  • A handy way of dealing with findtime and bantime is to create these aliases:
    ## bantime of 3600 = 60*60 = one hour
    ## bantime of 86400 = 60*60*24 = one day
    ## bantime of 604800 = 60*60*24*7 = one week
    ## bantime of 2592000 = 60*60*24*30 = (approx) one month
    ## bantime of 31536000 = 60*60*24*365 = (approx) one year
    one_hour = 3600
    one_day = 86400
    one_week = 604800
    one_month = 2592000
    one_year = 31536000

    Then refer to them like this:

    findtime = %(one_week)s
    bantime = %(one_week)s

    NOTE the %(...)s do NOT forget trailing "s"!

  • Actions can be chained. I wanted to both ban users and email myself, so I did this:
    action = iptables-multiport[name=apache-phpmyadmin,
    port="http,https", protocol=tcp] %(action_mwl)s

    NOTE the %(...)s do NOT forget trailing "s"!

I've had emails saying Fail2ban had banned an IP, but testing showed it didn't. WTF?!? This is important that this works!

When you run a new jail, or start one, also run:

sudo iptables -n --list

and watch for a "chain" for each of your jails, and, make sure each chain has a reference, like this:

Chain fail2ban-apache-phpmyadmin (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

If there are 0 (zero) references, then reload the chain's jail like this:

sudo fail2ban-client reload apache-phpmyadmin

(substituting name of your jail with no references).

What happens is, sometimes the INPUT chain doesn't refer any packets to the fail2ban chain(s), so you'll get an email saying a ban has happened, but it hasn't taken effect, and leaves cryptic messages in /var/log/fail2ban.log.

Good luck with your fail2ban installation!

AttachmentSize
Binary Data apache-phpmyadmin.local1.96 KB
Binary Data apache-verboten4bots.local665 bytes

Tags:

Comments

Ron

Sat, 2011/11/26 - 03:04

If you don't run a web-based front end for MySQL admin, such as phpMyAdmin, then you should ban anyone trying to access it.

Here's the Jail, in my /etc/fail2ban/jail.local:

[apache-phpmyadmin]
enabled = true
port = http,https
filter = apache-phpmyadmin
logpath = /usr/local/apache*/logs/error*
maxretry = 1
findtime = %(one_week)s
bantime = %(one_week)s
## I've appended a SECOND action, below, which sends email notice
## of ban action (the "%(action_mwl)s" part...
action = iptables-multiport[name=apache-phpmyadmin,
port="http,https", protocol=tcp] %(action_mwl)s

And, its filter, called /etc/fail2ban/filters.d/apache-phpmyadmin.local (updated and attached below):

[Definition]

# Option: failregex
# Notes.: Regexp to catch Apache PHP MySQL Admin on
## servers not running it.
# Values: TEXT
failregex = client ] File does not exist: .*(phpmyadmin|phpMyAdmin).*
client ] .*mysql-?admin.*
client ] .*(websql|sqlweb).*
client ] .*SSLMySQLAdmin.*
client ] .*mysql/scripts/setup.php.*
client ] .*myadmin/scripts/setup.php.*
client ] .*(pma|mysql|SQL)$
client ] .*appConf.htm$
client ] .*cpanelmysql.*
client ] .*sqlmanager.*
client ] .*roundcube.*

ignoreregex =

Note that I've also included a "roundcube" mail server/interface block on the last line...

R o n
- - -
Vancouver

Ron

Sun, 2011/11/27 - 03:39

This one is for robots or bad-guys that read /robots.txt but either do not honour it, or use it to look for sensitive data.

First, I put an entry in my /robots.txt like this:

Disallow: /verboten4bots

Then, made a jail like this:

## put a dummy entry into /robots.txt saying:
## Disallow: /verboten4bots,
## then anyone accessing verboten4bots is a
## bad bot or malicious:
## (c) Ronald Barnes 2011.11.26
##
[apache-verboten4bots]
enabled = true
port = http,https
filter = apache-verboten4bots
logpath = /usr/local/apache*/logs/error*
maxretry = 1
findtime = %(one_week)s
bantime = 300
action = iptables-multiport[name=apache-verboten4bots,
port="http,https", protocol=tcp] %(action_mwl)s

Finally, a filter like this:

# Fail2Ban configuration file
#
##
## Put a dummy entry into /robots.txt saying:
## Disallow: /verboten4bots,
## then anyone accessing verboten4bots is
## a bad bot or malicious:
##
## (c) Ronald Barnes 2011.11.26
##
#
#

[Definition]

# Option: failregex
# Notes.: Put a dummy entry into /robots.txt saying:
## Disallow: /verboten4bots,
## then anyone accessing verboten4bots is
## a bad bot or malicious:
# Values: TEXT
#

failregex = client ] .*verboten4bots.*
client ] .*Verboten4bots.*
client ] .*Verboten4Bots.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

R o n
- - -
Vancouver

Add new comment