How to use fail2ban to protect your server against attacks

How to use fail2ban to protect your server against attacks

The simplest way to protect your server is to use fail2ban.
It's easy to use and have many features built in and very important it's FREE.

By default under CentOS  Fail2ban is not available, you need to use  the third party EPEL repository, or manual install.

 

CentOS 6 32 bit:

 

 

CentOS 6 64 bit:

 

 
Check if is enabled and list repository.

# yum repolist

Install Fail2Ban from EPEL repository.

# yum install fail2ban

Set fail2ban to start automatically on boot:

# chkconfig --add fail2ban

# chkconfig fail2ban on

In  /etc/fail2ban/jail.conf set your own IP address and all your trusted IP addresses into the 

ignoreip line.

ignoreip = 127.0.0.1 1.2.3.4 123.123.123.0/24

 

bantime -  shows how long the IP address will be blocked for by the server in seconds

maxretry - is the number of failed login attempts before fail2ban bans an IP address.

findtime - is a time frame in which a host has to log in. This means that if a host fails to log in to some of your services in this time frame it will be banned. The default findtime is 600 seconds.

After making changes you need to restart the service.

# service fail2ban restart

Check the iptables rules added by fail2ban by executing:

# iptables -L -v -n

I recommend to use these filters and more.

In cd /etc/fail2ban/ edit nano jail.conf or vi jail.conf.

#Add for PopMail - Qmail

 [vpopmail]

enabled = true
port = pop3
filter = vpopmail
action = hostsdeny 

#or you can use iptables or both
#action = iptables[name=POP3, port=pop3, protocol=tcp]
logpath = /var/log/maillog

#or you can define multiple log files.
            #/var/log/maillog-1
maxretry = 3

 In cd /etc/fail2ban/filter.d edit nano vpopmail.conf or vi vpopmail.conf.

and add 

# Fail2Ban configuration file for vpopmail
#
# Author: Lawrence Sheed
#
# $Revision: 1.0 $
#
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

Again edit nano jail.conf or vi jail.conf

#Add for Password Fail

 

[password-fail]
enabled = true
filter = password-fail
action = hostsdeny

#same stuff here

#iptables[name=SMTP, port=smtp, protocol=tcp]

logpath = /var/log/maillog
              /var/log/maillog-1
maxretry = 3
bantime = 86400
findtime = 3600

In folder filter.d create an file nano password-fail.conf or vi password-fail.conf.

 

# Fail2Ban configuration file for vpopmail
#
# Author: Lawrence Sheed
#
# $Revision: 1.0 $
#
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#

failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

Again edit nano jail.conf or vi jail.conf

#Add for User name not found SMTP

# username-notfound

[username-notfound]
enabled = true
filter = username-notfound
action = hostsdeny

#or same stuff
          iptables[name=SMTP, port=smtp, protocol=tcp]


logpath = /var/log/maillog
#/var/log/maillog-1
maxretry = 3
bantime = 86400
findtime = 3600

 

In folder filter.d create an file nano password-fail.conf or vi password-fail.conf.

 

[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# The host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = vchkpw-smtp: vpopmail user not found .*@:<HOST>$
                 vchkpw-smtp: null password given .*:<HOST>$
                 vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

 

Again edit nano jail.conf or vi jail.conf

#Add for Protect against DNS SPOOF

An exemple

-----------------------------------------------------------------------------------------

ns1 named[451]: client 129.17.94.228#23817 (azebuporibwdgb.www.365ddos.cn): query (cache) 'azebuporibwdgb.www.365ddos.cn/A/IN' denied

ns1 named[451]: client 90.189.115.36#9377 (mvktqd.www.yzrjy.com): query (cache) 'mvktqd.www.yzrjy.com/A/IN' denied
ns1 named[451]: client 13.242.147.204#43953 (ybcbgbwpgburcrel.www.yzrjy.com): query (cache) 'ybcbgbwpgburcrel.www.yzrjy.com/A/IN' denied
ns1 named[451]: client 107.42.124.217#20272 (cjunetidoxcvur.www.yzrjy.com): query (cache) 'cjunetidoxcvur.www.yzrjy.com/A/IN' denied

------------------------------------------------------------------------

 [named-refused-udp]

enabled = true
filter = named-refused
#action = hostsdeny
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/messages
maxretry = 3
bantime = 604800
#findtime = 3600

In folder filter.d by default you must have this file named-refused.conf.

 

Again edit nano jail.conf or vi jail.conf

#Add for Protect against Apache scan

 

[apache-scan]
enabled = true
filter = apache-scan
action = hostsdeny
logpath = /var/log/httpd/error_log
maxretry = 5
bantime = 604800
#findtime = 3600

 

In folder filter.d create an file nano apache-scan.conf or vi apache-scan.conf.

 

# Fail2Ban filter to web requests for home directories on Apache servers
#
# Regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.

 [INCLUDES]

 # overwrite with apache-common.local if _apache_error_client is incorrect.

before = apache-common.conf

 [Definition]

 failregex = [[]client <HOST>[]] File does not exist:

ignoreregex =

# Author: Yaroslav O. Halchenko

 

Again edit nano jail.conf or vi jail.conf

#Add for Protect against Apache BadBots

 

[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/httpd/access_log
bantime = 604800
maxretry = 1

In folder filter.d by default you must have this file apache-badbots.conf.

And you can add one more BadBot ZmEu

 

[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|ZmEu

 

 

 You can test an filter with 

Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

 fail2ban-regex /var/log/apache2/error.log/etc/fail2ban/filter.d/apache-auth.conf

 

 

In folder filter.d are many useful filters or you can a try Advanced Policy Firewall. 

This is a small part from a daily log.

 --------------------- fail2ban-messages Begin ------------------------ 

 
 Banned services with Fail2Ban:			Bans:Unbans
    apache-badbots:                                         [  2:1  ]
       62.116.178.196 (gm3.8uhr30.com)               1:0  
       125.210.204.243                                         0:1  
       203.171.229.184                                         1:0  
    apache-scan:                                             [  3:0  ]
       62.24.103.148 (ndovu.orange.co.ke)            1:0  
       62.116.178.196 (gm3.8uhr30.com)              1:0  
       183.60.243.188                                          1:0  
    named-refused-udp:                                  [  1:5  ]
       217.69.133.165 (pegasus.mail.ru)               1:1  
       109.99.188.80                                           0:1  
       193.231.100.22                                         0:1  
       193.231.100.37                                         0:1  
       216.176.188.10 (ns4.wowrack.com)             0:1  
    username-notfound:                                      [  1:0  ]
       83.150.92.28 (xdsl-83-150-92-28.nebulazone.fi)          1:0  
    vpopmail:                                               [  2:0  ]
       82.98.190.218 (vls15416.dinaserver.com)                 1:0  
       110.170.42.226 (110-170-42-226.static.asianet.co.th)    1:0  


Requests with error response codes
    404 Not Found
       /Admin/phpMyAdmin/scripts/setup.php: 1 Time(s)
       /Admin/phpmyadmin/scripts/setup.php: 1 Time(s)
       /HNAP1/: 1 Time(s)
       /LIVE_VIEW.asp: 1 Time(s)
       /MyAdmin/scripts/setup.php: 1 Time(s)
       /_PHPMYADMIN/scripts/setup.php: 1 Time(s)
       /_pHpMyAdMiN/scripts/setup.php: 1 Time(s)
       /_phpMyAdmin/scripts/setup.php: 1 Time(s)
       /_phpmyadmin/scripts/setup.php: 1 Time(s)
       /admin/common/ie.css: 1 Time(s)
       /admin/config.php: 1 Time(s)
       /admin/phpmyadmin/scripts/setup.php: 1 Time(s)
       /admin/pma/scripts/setup.php: 1 Time(s)
       /admin/scripts/setup.php: 1 Time(s)
       /administrator/components/com_joommyadmin/ ... ripts/setup.php: 1 Time(s)
       /apache-default/phpmyadmin/scripts/setup.php: 1 Time(s)
       /blog/phpmyadmin/scripts/setup.php: 1 Time(s)
       /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75 ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75 ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75% ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/rtpd.cgi?/bin/busybox: 1 Time(s)
       /cgi-bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount: 1 Time(s)
       /cgi/maker/ptcmd.cgi?cmd=;cat+/tmp/config/usr.ini: 1 Time(s)
       /cpanelphpmyadmin/scripts/setup.php: 1 Time(s)
       /cpphpmyadmin/scripts/setup.php: 1 Time(s)
       /db/scripts/setup.php: 1 Time(s)
       /dbadmin/scripts/setup.php: 1 Time(s)
       /forum/phpmyadmin/scripts/setup.php: 1 Time(s)
       /img/snapshot.cgi?AAAAAAAAAAAAAAAAAAAAAAAA ... AAAAAAA\x88\x9b: 1 Time(s)
       /muieblackcat: 1 Time(s)
       /myadmin/scripts/setup.php: 10 Time(s)
       /mysql/scripts/setup.php: 1 Time(s)
       /mysqladmin/scripts/setup.php: 1 Time(s)
       /oamp/System.xml?action=login&user=L1_admin&password=L1_51: 1 Time(s)
       /oidtable.cgi?grep='$IFS/etc/privpasswd;': 1 Time(s)
       /php-my-admin/scripts/setup.php: 1 Time(s)
       /php/phpmyadmin/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.0.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.0.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.0.2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.1.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.10.2.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.11.0.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.11.1-all-languages/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.11.1.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.11.1.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.11.1.2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.5.5-pl1/index.php: 2 Time(s)
       /phpMyAdmin-2.5.5/index.php: 2 Time(s)
       /phpMyAdmin-2.6.1-pl2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.1-pl3/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl3/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl4/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.4-rc1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.5/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.6/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.6.9/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.0-beta1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.0-pl1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.0-pl2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.0-rc1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.5/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.6/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.7.7/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.2.3/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.3/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.4/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.5/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.6/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.7/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.8/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.8.9/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.0-rc1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.0.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.0.2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2.9.2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-2/: 1 Time(s)
       /phpMyAdmin-2/scripts/setup.php: 2 Time(s)
       /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.0.1.0-english/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.0.1.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.0.1.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.0.0-english/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.0.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.2.0-english/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.1.2.0/scripts/setup.php: 1 Time(s)
       /phpMyAdmin-3.4.3.1/scripts/setup.php: 1 Time(s)
       /phpMyAdmin/scripts/setup.php: 12 Time(s)
       /phpMyAdmin/translators.html: 3 Time(s)
       /phpMyAdmin2/scripts/setup.php: 1 Time(s)
       /phpMyAdmin3/scripts/setup.php: 1 Time(s)
       /phpTest/zologize/axa.php: 9 Time(s)
       /phpadmin/scripts/setup.php: 1 Time(s)
       /phpmyadmin/scripts/setup.php: 3 Time(s)
       /phpmyadmin/translators.html: 2 Time(s)
       /pma/scripts/setup.php: 10 Time(s)
       /robots.txt: 5 Time(s)
       /scripts/setup.php: 1 Time(s)
       /typo3/phpmyadmin/scripts/setup.php: 1 Time(s)
       /w00tw00t.at.blackhats.romanian.anti-sec:): 1 Time(s)
       /web/phpMyAdmin/scripts/setup.php: 1 Time(s)
       /web/scripts/setup.php: 1 Time(s)
       /websql/scripts/setup.php: 1 Time(s)
       /xampp/phpmyadmin/scripts/setup.php: 1 Time(s)
 

No Such User Found:
 	LOONG LIST 
 
 **Unmatched Entries**
 vchkpw-pop3: invalid user/domain characters madrile
 vchkpw-pop3: invalid user/domain characters espa
 vchkpw-pop3: invalid user/domain characters albañ
 vchkpw-pop3: invalid user/domain characters diseña
 vchkpw-pop3: invalid user/domain characters diseñ
 


Links - Install fail2ban centos
-