Fail2ban unter CentOS 6.x

Fail2ban Logo Ähnlich wie das nagios Plugin check_logfiles kann mit Hilfe von Fail2ban diverse Logdateien auf Auffälligkeiten hin überwacht werden. Die Ursache dieser Auffälligkeiten kann nun ein amoklaufender Host, eine Brute-Force-Attacke, oder anderweitigen nicht erwünschten IP-Traffic sein.

Im Gegensatz zum Eingangs angesprochenen nagios-plugins, haben wir nun mit Fail2ban ein Werkzeug an der Hand, mit dem wir der Ursache oder dem Verursacher entgegentreten können. Fail2ban kann je nach Konfiguration, eMails-verschicken oder Dienste wie www.blocklist.de informieren und darüber hinaus über das Paketfilter-regelwerk iptables vornehmen, so dass die Verursachen für eine gewisse Zeit, oder auch dauerhaft, geblockt werden.

Im folgendem Abschnitt werden wir nun die aktuelle Release-Version 0.9.0 installieren. 0.9.0 ist zwar eine sog. Entwickler-Version, bringt aber wesentliche Neuerungen mit, die wir gerne einsetzen wollen. Hinweise zum aktuellen Release-Stand findet man bei GitHub hier.

Das zugehörige, oder besser gesagt, die zugehörigen RPMs findet man im Repository mailserver.guru. Falls noch nicht geschehen, binden wir nun das entsprechende Repository ein. Wie das geht, steht hier. Eine ausführliche Dokumentation der aktuellen Entwicklerversion 0.9.0 findet sich hier.

Da wir neben der Überwachung der Logfiles auch Aktionen, wie z.B. verschicken von Status-eMails nutzen wollen installieren wir das Paket fail2ban aus zuvor erwähnten mailserver.guru-Repository.

Dank des eingebundenen mailserver.guru-Repository könne wir yum zum Installieren verwenden, somit werden auch gleich alle weiteren Pakete für eine Basisinstallation als Abhängigkeiten mit installiert!

Wir starten also den Installationsvorgang.

 # yum install fail2ban -y

Neben dem Basispaket fail2ban werden noch die Pakete fail2ban-server, fail2ban-sendmail, jwois, gamin-python und python-inotify installiert.

Bei Bedraf können wir uns mit Hilfe des Aufrufes rpm -qil jeweils ein Bild davon machen, welche Dateien und Verzeichnisse bei der jeweiligen Paketinstallation neu zum System hinzukamen.

 # rpm -qil fail2ban
Name        : fail2ban                     Relocations: (not relocatable)
Version     : 0.9.0                             Vendor: django
Release     : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
Install Date: Fri 13 Jun 2014 11:16:39 PM CEST      Build Host: vml010039.intra.nausch.org
Group       : Unspecified                   Source RPM: fail2ban-0.9.0-2.el6.src.rpm
Size        : 0                                License: GPLv2+
Signature   : RSA/SHA1, Fri 13 Jun 2014 11:07:18 PM CEST, Key ID 31b4758f7c65ab27
Packager    : Django <django@nausch.org>
URL         : http://fail2ban.sourceforge.net/
Summary     : Daemon to ban hosts that cause multiple authentication errors
Description :
Fail2Ban scans log files and bans IP addresses that makes too many password
failures. It updates firewall rules to reject the IP address. These rules can
be defined by the user. Fail2Ban can read multiple log files such as sshd or
Apache web server ones.

Fail2Ban is able to reduce the rate of incorrect authentications attempts
however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication
mechanisms if you really want to protect services.

This is a meta-package that will install the default configuration.  Other
sub-packages are available to install support for other actions and
configurations.
(contains no files)
 # rpm -qil fail2ban-server
Name        : fail2ban-server              Relocations: (not relocatable)
Version     : 0.9.0                             Vendor: django
Release     : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
Install Date: Fri 13 Jun 2014 11:16:33 PM CEST      Build Host: vml010039.intra.nausch.org
Group       : Unspecified                   Source RPM: fail2ban-0.9.0-2.el6.src.rpm
Size        : 1240490                          License: GPLv2+
Signature   : RSA/SHA1, Fri 13 Jun 2014 11:07:19 PM CEST, Key ID 31b4758f7c65ab27
Packager    : Django <django@nausch.org>
URL         : http://fail2ban.sourceforge.net/
Summary     : Core server component for Fail2Ban
Description :
This package contains the core server components for Fail2Ban with minimal
dependencies.  You can install this directly if you want to have a small
installation and know what you are doing.
/etc/fail2ban
/etc/fail2ban/action.d
/etc/fail2ban/action.d/apf.conf
/etc/fail2ban/action.d/badips.conf
/etc/fail2ban/action.d/badips.py
/etc/fail2ban/action.d/blocklist_de.conf
/etc/fail2ban/action.d/dshield.conf
/etc/fail2ban/action.d/dummy.conf
/etc/fail2ban/action.d/firewallcmd-ipset.conf
/etc/fail2ban/action.d/firewallcmd-new.conf
/etc/fail2ban/action.d/iptables-allports.conf
/etc/fail2ban/action.d/iptables-blocktype.conf
/etc/fail2ban/action.d/iptables-ipset-proto4.conf
/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf
/etc/fail2ban/action.d/iptables-ipset-proto6.conf
/etc/fail2ban/action.d/iptables-multiport-log.conf
/etc/fail2ban/action.d/iptables-multiport.conf
/etc/fail2ban/action.d/iptables-new.conf
/etc/fail2ban/action.d/iptables-xt_recent-echo.conf
/etc/fail2ban/action.d/iptables.conf
/etc/fail2ban/action.d/mail.conf
/etc/fail2ban/action.d/mynetwatchman.conf
/etc/fail2ban/action.d/route.conf
/etc/fail2ban/action.d/sendmail.conf
/etc/fail2ban/action.d/smtp.py
/etc/fail2ban/action.d/smtp.pyc
/etc/fail2ban/action.d/smtp.pyo
/etc/fail2ban/action.d/xarf-login-attack.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/fail2ban.d
/etc/fail2ban/fail2ban.local
/etc/fail2ban/filter.d
/etc/fail2ban/filter.d/3proxy.conf
/etc/fail2ban/filter.d/apache-auth.conf
/etc/fail2ban/filter.d/apache-badbots.conf
/etc/fail2ban/filter.d/apache-botsearch.conf
/etc/fail2ban/filter.d/apache-common.conf
/etc/fail2ban/filter.d/apache-modsecurity.conf
/etc/fail2ban/filter.d/apache-nohome.conf
/etc/fail2ban/filter.d/apache-noscript.conf
/etc/fail2ban/filter.d/apache-overflows.conf
/etc/fail2ban/filter.d/assp.conf
/etc/fail2ban/filter.d/asterisk.conf
/etc/fail2ban/filter.d/common.conf
/etc/fail2ban/filter.d/counter-strike.conf
/etc/fail2ban/filter.d/courier-auth.conf
/etc/fail2ban/filter.d/courier-smtp.conf
/etc/fail2ban/filter.d/cyrus-imap.conf
/etc/fail2ban/filter.d/dovecot.conf
/etc/fail2ban/filter.d/dropbear.conf
/etc/fail2ban/filter.d/ejabberd-auth.conf
/etc/fail2ban/filter.d/exim-common.conf
/etc/fail2ban/filter.d/exim-spam.conf
/etc/fail2ban/filter.d/exim.conf
/etc/fail2ban/filter.d/freeswitch.conf
/etc/fail2ban/filter.d/groupoffice.conf
/etc/fail2ban/filter.d/gssftpd.conf
/etc/fail2ban/filter.d/guacamole.conf
/etc/fail2ban/filter.d/horde.conf
/etc/fail2ban/filter.d/kerio.conf
/etc/fail2ban/filter.d/lighttpd-auth.conf
/etc/fail2ban/filter.d/mysqld-auth.conf
/etc/fail2ban/filter.d/nagios.conf
/etc/fail2ban/filter.d/named-refused.conf
/etc/fail2ban/filter.d/nginx-http-auth.conf
/etc/fail2ban/filter.d/nsd.conf
/etc/fail2ban/filter.d/openwebmail.conf
/etc/fail2ban/filter.d/pam-generic.conf
/etc/fail2ban/filter.d/perdition.conf
/etc/fail2ban/filter.d/php-url-fopen.conf
/etc/fail2ban/filter.d/postfix-sasl.conf
/etc/fail2ban/filter.d/postfix.conf
/etc/fail2ban/filter.d/proftpd.conf
/etc/fail2ban/filter.d/pure-ftpd.conf
/etc/fail2ban/filter.d/qmail.conf
/etc/fail2ban/filter.d/recidive.conf
/etc/fail2ban/filter.d/roundcube-auth.conf
/etc/fail2ban/filter.d/selinux-common.conf
/etc/fail2ban/filter.d/selinux-ssh.conf
/etc/fail2ban/filter.d/sendmail-auth.conf
/etc/fail2ban/filter.d/sendmail-reject.conf
/etc/fail2ban/filter.d/sieve.conf
/etc/fail2ban/filter.d/sogo-auth.conf
/etc/fail2ban/filter.d/solid-pop3d.conf
/etc/fail2ban/filter.d/squid.conf
/etc/fail2ban/filter.d/squirrelmail.conf
/etc/fail2ban/filter.d/sshd-ddos.conf
/etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/filter.d/stunnel.conf
/etc/fail2ban/filter.d/suhosin.conf
/etc/fail2ban/filter.d/tine20.conf
/etc/fail2ban/filter.d/uwimap-auth.conf
/etc/fail2ban/filter.d/vsftpd.conf
/etc/fail2ban/filter.d/webmin-auth.conf
/etc/fail2ban/filter.d/wuftpd.conf
/etc/fail2ban/filter.d/xinetd-fail.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d
/etc/fail2ban/jail.local
/etc/fail2ban/paths-centos.conf
/etc/fail2ban/paths-common.conf
/etc/logrotate.d/fail2ban
/etc/rc.d/init.d/fail2ban
/etc/tmpfiles.d/fail2ban.conf
/usr/bin/fail2ban-client
/usr/bin/fail2ban-regex
/usr/bin/fail2ban-server
/usr/bin/fail2ban-testcases
/usr/lib/python2.6/site-packages/fail2ban
/usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info
/usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/PKG-INFO
/usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/SOURCES.txt
/usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/dependency_links.txt
/usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/top_level.txt
/usr/lib/python2.6/site-packages/fail2ban/__init__.py
/usr/lib/python2.6/site-packages/fail2ban/__init__.pyc
/usr/lib/python2.6/site-packages/fail2ban/__init__.pyo
/usr/lib/python2.6/site-packages/fail2ban/client
/usr/lib/python2.6/site-packages/fail2ban/client/__init__.py
/usr/lib/python2.6/site-packages/fail2ban/client/__init__.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/__init__.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/actionreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/actionreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/actionreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/beautifier.py
/usr/lib/python2.6/site-packages/fail2ban/client/beautifier.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/beautifier.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.py
/usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/configreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/configreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/configreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/configurator.py
/usr/lib/python2.6/site-packages/fail2ban/client/configurator.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/configurator.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/csocket.py
/usr/lib/python2.6/site-packages/fail2ban/client/csocket.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/csocket.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/filterreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/filterreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/filterreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/jailreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/jailreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/jailreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.py
/usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.pyc
/usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.pyo
/usr/lib/python2.6/site-packages/fail2ban/exceptions.py
/usr/lib/python2.6/site-packages/fail2ban/exceptions.pyc
/usr/lib/python2.6/site-packages/fail2ban/exceptions.pyo
/usr/lib/python2.6/site-packages/fail2ban/helpers.py
/usr/lib/python2.6/site-packages/fail2ban/helpers.pyc
/usr/lib/python2.6/site-packages/fail2ban/helpers.pyo
/usr/lib/python2.6/site-packages/fail2ban/protocol.py
/usr/lib/python2.6/site-packages/fail2ban/protocol.pyc
/usr/lib/python2.6/site-packages/fail2ban/protocol.pyo
/usr/lib/python2.6/site-packages/fail2ban/server
/usr/lib/python2.6/site-packages/fail2ban/server/__init__.py
/usr/lib/python2.6/site-packages/fail2ban/server/__init__.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/__init__.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/action.py
/usr/lib/python2.6/site-packages/fail2ban/server/action.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/action.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/actions.py
/usr/lib/python2.6/site-packages/fail2ban/server/actions.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/actions.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.py
/usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/banmanager.py
/usr/lib/python2.6/site-packages/fail2ban/server/banmanager.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/banmanager.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/database.py
/usr/lib/python2.6/site-packages/fail2ban/server/database.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/database.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/datedetector.py
/usr/lib/python2.6/site-packages/fail2ban/server/datedetector.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/datedetector.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.py
/usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/faildata.py
/usr/lib/python2.6/site-packages/fail2ban/server/faildata.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/faildata.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/failmanager.py
/usr/lib/python2.6/site-packages/fail2ban/server/failmanager.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/failmanager.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/failregex.py
/usr/lib/python2.6/site-packages/fail2ban/server/failregex.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/failregex.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/filter.py
/usr/lib/python2.6/site-packages/fail2ban/server/filter.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/filter.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.py
/usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.py
/usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.py
/usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.py
/usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/jail.py
/usr/lib/python2.6/site-packages/fail2ban/server/jail.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/jail.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/jails.py
/usr/lib/python2.6/site-packages/fail2ban/server/jails.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/jails.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/jailthread.py
/usr/lib/python2.6/site-packages/fail2ban/server/jailthread.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/jailthread.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/mytime.py
/usr/lib/python2.6/site-packages/fail2ban/server/mytime.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/mytime.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/server.py
/usr/lib/python2.6/site-packages/fail2ban/server/server.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/server.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/strptime.py
/usr/lib/python2.6/site-packages/fail2ban/server/strptime.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/strptime.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/ticket.py
/usr/lib/python2.6/site-packages/fail2ban/server/ticket.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/ticket.pyo
/usr/lib/python2.6/site-packages/fail2ban/server/transmitter.py
/usr/lib/python2.6/site-packages/fail2ban/server/transmitter.pyc
/usr/lib/python2.6/site-packages/fail2ban/server/transmitter.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests
/usr/lib/python2.6/site-packages/fail2ban/tests/__init__.py
/usr/lib/python2.6/site-packages/fail2ban/tests/__init__.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/__init__.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.py
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.py
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.py
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/config
/usr/lib/python2.6/site-packages/fail2ban/tests/config/action.d
/usr/lib/python2.6/site-packages/fail2ban/tests/config/action.d/brokenaction.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/config/fail2ban.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/config/filter.d
/usr/lib/python2.6/site-packages/fail2ban/tests/config/filter.d/simple.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/config/jail.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.py
/usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/README
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/cant_get_me.html
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/noentry
/usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
/usr/lib/python2.6/site-packages/fail2ban/tests/files/database_v1.db
/usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d
/usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/substition.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/testcase-common.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/testcase01.conf
/usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.py
/usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/3proxy
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-badbots
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-botsearch
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-modsecurity
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-nohome
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-noscript
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-overflows
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/assp
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/asterisk
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-plain.txt
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-v.txt
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-vv.txt
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/counter-strike
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/courier-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/courier-smtp
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/cyrus-imap
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/dovecot
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/dropbear
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/ejabberd-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/exim
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/exim-spam
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/freeswitch
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/groupoffice
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/gssftpd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/guacamole
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/horde
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/kerio
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/lighttpd-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/mysqld-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nagios
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/named-refused
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nginx-http-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nsd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/openwebmail
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/pam-generic
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/perdition
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/php-url-fopen
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/postfix
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/postfix-sasl
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/proftpd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/pure-ftpd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/qmail
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/recidive
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/roundcube-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/selinux-ssh
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sendmail-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sendmail-reject
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sieve
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sogo-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/solid-pop3d
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/squid
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/squirrelmail
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sshd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sshd-ddos
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/stunnel
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/suhosin
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/tine20
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/uwimap-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/vsftpd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/webmin-auth
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/wuftpd
/usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/xinetd-fail
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-journal.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-multiline.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-usedns.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase01.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase02.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase03.log
/usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase04.log
/usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.py
/usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.pyo
/usr/lib/python2.6/site-packages/fail2ban/tests/utils.py
/usr/lib/python2.6/site-packages/fail2ban/tests/utils.pyc
/usr/lib/python2.6/site-packages/fail2ban/tests/utils.pyo
/usr/lib/python2.6/site-packages/fail2ban/version.py
/usr/lib/python2.6/site-packages/fail2ban/version.pyc
/usr/lib/python2.6/site-packages/fail2ban/version.pyo
/usr/share/doc/fail2ban-server-0.9.0
/usr/share/doc/fail2ban-server-0.9.0/COPYING
/usr/share/doc/fail2ban-server-0.9.0/ChangeLog
/usr/share/doc/fail2ban-server-0.9.0/README.md
/usr/share/doc/fail2ban-server-0.9.0/TODO
/usr/share/doc/fail2ban-server-0.9.0/run-rootless.txt
/usr/share/man/man1/fail2ban-client.1.gz
/usr/share/man/man1/fail2ban-regex.1.gz
/usr/share/man/man1/fail2ban-server.1.gz
/usr/share/man/man1/fail2ban.1.gz
/usr/share/man/man5/jail.conf.5.gz
/var/lib/fail2ban
/var/run/fail2ban
 # rpm -qil fail2ban-sendmail
Name        : fail2ban-sendmail            Relocations: (not relocatable)
Version     : 0.9.0                             Vendor: django
Release     : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
Install Date: Fri 13 Jun 2014 11:16:38 PM CEST      Build Host: vml010039.intra.nausch.org
Group       : Unspecified                   Source RPM: fail2ban-0.9.0-2.el6.src.rpm
Size        : 9564                             License: GPLv2+
Signature   : RSA/SHA1, Fri 13 Jun 2014 11:07:21 PM CEST, Key ID 31b4758f7c65ab27
Packager    : Django <django@nausch.org>
URL         : http://fail2ban.sourceforge.net/
Summary     : Sendmail actions for Fail2Ban
Description :
This package installs Fail2Ban's sendmail actions.  This is the default
mail actions for Fail2Ban.
/etc/fail2ban/action.d/sendmail-buffered.conf
/etc/fail2ban/action.d/sendmail-common.conf
/etc/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
/etc/fail2ban/action.d/sendmail-whois-ipmatches.conf
/etc/fail2ban/action.d/sendmail-whois-lines.conf
/etc/fail2ban/action.d/sendmail-whois-matches.conf
/etc/fail2ban/action.d/sendmail-whois.conf
 rpm -qil gamin-python
Name        : gamin-python                 Relocations: (not relocatable)
Version     : 0.1.10                            Vendor: CentOS
Release     : 9.el6                         Build Date: Thu 11 Nov 2010 09:03:58 AM CET
Install Date: Fri 13 Jun 2014 11:16:30 PM CEST      Build Host: c6b5.bsys.dev.centos.org
Group       : Development/Libraries         Source RPM: gamin-0.1.10-9.el6.src.rpm
Size        : 89039                            License: LGPLv2
Signature   : RSA/8, Sun 03 Jul 2011 06:15:40 AM CEST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.gnome.org/~veillard/gamin/
Summary     : Python bindings for the gamin library
Description :
The gamin-python package contains a module that allow monitoring of
files and directories from the Python language based on the support
of the gamin package.
/usr/lib64/python2.6/site-packages/_gamin.so
/usr/lib64/python2.6/site-packages/gamin.py
/usr/lib64/python2.6/site-packages/gamin.pyc
/usr/lib64/python2.6/site-packages/gamin.pyo
/usr/share/doc/gamin-python-0.1.10
/usr/share/doc/gamin-python-0.1.10/basic.py
/usr/share/doc/gamin-python-0.1.10/basic2.py
/usr/share/doc/gamin-python-0.1.10/basic3.py
/usr/share/doc/gamin-python-0.1.10/basic4.py
/usr/share/doc/gamin-python-0.1.10/basic5.py
/usr/share/doc/gamin-python-0.1.10/basic6.py
/usr/share/doc/gamin-python-0.1.10/bigfile.py
/usr/share/doc/gamin-python-0.1.10/dnotify.py
/usr/share/doc/gamin-python-0.1.10/dnotify10.py
/usr/share/doc/gamin-python-0.1.10/dnotify11.py
/usr/share/doc/gamin-python-0.1.10/dnotify12.py
/usr/share/doc/gamin-python-0.1.10/dnotify13.py
/usr/share/doc/gamin-python-0.1.10/dnotify15.py
/usr/share/doc/gamin-python-0.1.10/dnotify2.py
/usr/share/doc/gamin-python-0.1.10/dnotify3.py
/usr/share/doc/gamin-python-0.1.10/dnotify4.py
/usr/share/doc/gamin-python-0.1.10/dnotify5.py
/usr/share/doc/gamin-python-0.1.10/dnotify6.py
/usr/share/doc/gamin-python-0.1.10/dnotify7.py
/usr/share/doc/gamin-python-0.1.10/dnotify8.py
/usr/share/doc/gamin-python-0.1.10/dnotify9.py
/usr/share/doc/gamin-python-0.1.10/flood.py
/usr/share/doc/gamin-python-0.1.10/flood2.py
/usr/share/doc/gamin-python-0.1.10/flood3.py
/usr/share/doc/gamin-python-0.1.10/flood4.py
/usr/share/doc/gamin-python-0.1.10/level.py
/usr/share/doc/gamin-python-0.1.10/multiple.py
/usr/share/doc/gamin-python-0.1.10/multiple2.py
/usr/share/doc/gamin-python-0.1.10/multiple3.py
/usr/share/doc/gamin-python-0.1.10/noexists.py
/usr/share/doc/gamin-python-0.1.10/nokernel.py
/usr/share/doc/gamin-python-0.1.10/python.html
/usr/share/doc/gamin-python-0.1.10/readonly.py
 # rpm -qil python-inotify
Name        : python-inotify               Relocations: (not relocatable)
Version     : 0.9.1                             Vendor: ATrpms.net
Release     : 1.1.el6                       Build Date: Sat 09 Apr 2011 09:15:37 PM CEST
Install Date: Fri 13 Jun 2014 11:16:31 PM CEST      Build Host: flocki.atrpms.net
Group       : Development/Libraries         Source RPM: python-inotify-0.9.1-1.1.el6.src.rpm
Size        : 264165                           License: MIT
Signature   : DSA/SHA1, Sat 09 Apr 2011 09:15:38 PM CEST, Key ID 508ce5e666534c2b
Packager    : ATrpms <http://ATrpms.net/>
URL         : https://github.com/seb-m/pyinotify
Summary     : Monitor filesystem events with Python under Linux
Description :
This is a Python module for watching filesystems changes. pyinotify
can be used for various kind of fs monitoring. pyinotify relies on a
recent Linux Kernel feature (merged in kernel 2.6.13) called
inotify. inotify is an event-driven notifier, its notifications are
exported from kernel space to user space.
/usr/bin/pyinotify
/usr/lib/python2.6/site-packages/pyinotify-0.9.1-py2.6.egg-info
/usr/lib/python2.6/site-packages/pyinotify.py
/usr/lib/python2.6/site-packages/pyinotify.pyc
/usr/lib/python2.6/site-packages/pyinotify.pyo
/usr/share/doc/python-inotify-0.9.1
/usr/share/doc/python-inotify-0.9.1/ACKS
/usr/share/doc/python-inotify-0.9.1/COPYING
/usr/share/doc/python-inotify-0.9.1/ChangeLog_old
/usr/share/doc/python-inotify-0.9.1/NEWS_old

Die Beschreibung der einzelnen Bestandteile von fail2ban, stammt in wesentlichen Teilen aus der originalen englischen Beschreibung vom Release-Version 0.8 und wurde sinngemäß ins Deutsche übertragen!

Definitionen

Folgende Berifflichkeiten in der nachfolgenden Beschreibung werden verwandt.

  • filter : Ein Filter definiert einen regulären Ausdruck, mit Hilfe dessen eine bestimmte Zeichenfolge (Muster) in einer Log-Datei erkannt werden kann.
  • action : Eine Aktion definiert einen oder auch mehrere Befehle, die getriggert von einem filter zu einem definiertem Zeitpunkt ausgeführt werden.
  • jail : Ein jail ist eine Kombination aus einem Filter und einem oder mehreren actions, die fail2ban kann dabei meherer jails gleichzeitig verarbeiten.
  • client : Bezeichnet bzw. verweist aus das Skript - fail2ban-client.
  • server : Bezeichnet bzw. verweist aus das Skript - fail2ban-server.

fail2ban-Server

Fail2ban besteht aus zwei Teilen, dem server und dem client. Der server kann aus einem oder auch mehreren Prozessen bestehen und lauscht auf einem unix-socket auf eingehende Befehle. Beim Starten des server befindet sich dieser in einer Art Standard-Modus. Hierbei verfügt der server über keine Definitionen der einzelnen jails. Nachfolgende Optionen sind für fail2ban-server verfügbar:

 # fail2ban-server --help
Usage: /usr/bin/fail2ban-server [OPTIONS]

Fail2Ban v0.9.0 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Only use this command for debugging purpose. Start the server with
fail2ban-client instead. The default behaviour is to start the server
in background.

Options:
    -b                   start in background
    -f                   start in foreground
    -s <FILE>            socket path
    -p <FILE>            pidfile path
    -x                   force execution of the server (remove socket file)
    -h, --help           display this help message
    -V, --version        print the version

Report bugs to https://github.com/fail2ban/fail2ban/issues

Vom Anwender selbst sollte der fail2ban-server, außer im debugModus, nicht angesprochen werden! Die Option -s ist dabei wohl die interessanteste Option, da damit der Unix-Socket-Pfad definiert werden kann. Somit könenn meherer Fail2ban-Instanzen mit je einem eigenen Socket betrieben werden. Aber auch dieser theoretische Anwendungsfall wird i.d.R. nicht benötigt, da Fail2ban mehrere jails parallel abarbeiten kann.Gefängnisse gleichzeitig ausgeführt werden.

Sollte widererwarten der fail2ban-server einmal tatsächlich abstürzen und den UNIX-Socket dabei nicht gelöscht werden konnte, kann man mit der Option -x Fail2ban anweisen, beim Starten einen etwaigen toten Socket zu löschen. Es wird dringend geraten diesen Socket im Betrieb niemals manuell zu löschen, da dann keine Kommunikation des fail2ban-client mit dem fail2ban-server mehr möglich ist.

Der Server verarbeitet die Signale SIGTERM und SIGINT. Beim Empfang eines dieser Signale wird fail2ban-server sauber beendet.

Weitere nützliche informationen findet man auf der man-page von fail2ban-server.

FAIL2BAN-SERVER(1)               User Commands              FAIL2BAN-SERVER(1)

NAME
       fail2ban-server - start the server

SYNOPSIS
       fail2ban-server [OPTIONS]

DESCRIPTION
       Fail2Ban  v0.9.0  reads  log  file  that  contains  password failure report and bans the corresponding IP
       addresses using firewall rules.

       Only use this command for debugging purpose. Start the server with fail2ban-client instead.  The  default
       behaviour is to start the server in background.

OPTIONS
       -b     start in background

       -f     start in foreground

       -s <FILE>
              socket path

       -p <FILE>
              pidfile path

       -x     force execution of the server (remove socket file)

       -h, --help
              display this help message

       -V, --version
              print the version

AUTHOR
       Written  by  Cyril  Jaquier  <cyril.jaquier@fail2ban.org>.   Many  contributions by Yaroslav O. Halchenko
       <debian@onerussian.com>.

REPORTING BUGS
       Report bugs to https://github.com/fail2ban/fail2ban/issues

COPYRIGHT
       Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
       Copyright of modifications held by their respective authors.   Licensed  under  the  GNU  General  Public
       License v2 (GPL).

SEE ALSO
       fail2ban-client(1)

fail2ban-server v0.9.0            March 2014                FAIL2BAN-SERVER(1)

fail2ban-Client

fail2ban-client ist das Frontend von Fail2ban. Dieser verbindet sich mit dem Socket des fail2ban-server und sendet entsprechende Befehle zur Konfiguration und Steuerung des Servers. Neben dem Einlesen der Konfigurationsdateien wird der fail2ban-server zur Steuerung des Servers verwendet. Dieser kann z.B. den fail2ban-server starten oder auch beenden. Folgenden Optionen stehen für fail2ban-Client zur Verfügung.

 # fail2ban-client --help
Usage: /usr/bin/fail2ban-client [OPTIONS] <COMMAND>

Fail2Ban v0.9.0 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Options:
    -c <DIR>                configuration directory
    -s <FILE>               socket path
    -p <FILE>               pidfile path
    -d                      dump configuration. For debugging
    -i                      interactive mode
    -v                      increase verbosity
    -q                      decrease verbosity
    -x                      force execution of the server (remove socket file)
    -h, --help              display this help message
    -V, --version           print the version

Wie auch schon beim fail2ban-server wird auch beim fail2ban-client die Option -s <FILE> für die festlegung des Unix-Datei_Socketnamens verwendet. Setzt man diesen auf der Kommandozeile, wird dadurch die Definition des Konfigurationsdatei fail2ban.conf überschrieben. Möchte man das Standardkonfigurationsverzeichnis /etc/fail2ban anders setzen, verwendet man die Option -c <DIR>. Zum starten des Servers wir die Option -x einfach an den fail2ban-server über den UNIX-Socket weitergeleitet.

Eine sehr hilfreiche Option zu Debugzwecken ist die Option -d. Beim Aufruf von fail2ban-client -d leist z.B. die komplette Konfiguration ein, parst diese und gibt die Informationen, die der fail2ban-client an den fail2ban-server sendet, auf der Konsole aus.

Beispiel:

 # fail2ban-client -d
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'loglevel', 'INFO']
['set', 'dbpurgeage', 86400]
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['add', 'sshd-ddos', 'auto']
['set', 'sshd-ddos', 'usedns', 'warn']
['set', 'sshd-ddos', 'addlogpath', '/var/log/secure', 'head']
['set', 'sshd-ddos', 'maxretry', 5]
['set', 'sshd-ddos', 'addignoreip', '127.0.0.1/8']
['set', 'sshd-ddos', 'logencoding', 'auto']
['set', 'sshd-ddos', 'bantime', 600]
['set', 'sshd-ddos', 'ignorecommand', '']
['set', 'sshd-ddos', 'findtime', 600]
['set', 'sshd-ddos', 'maxlines', '10']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \\S+)?\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Failed \\S+ for .*? from <HOST>(?: port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:[\\da-f]{2}:){15}[\\da-f]{2}(, client user ".*", client host ".*")?))?\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because listed in DenyUsers\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not in any group\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Received disconnect from <HOST>: 3: \\S+: Auth fail$']
['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$']
['set', 'sshd-ddos', 'addfailregex', "^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \\[preauth\\]$']
['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)Disconnecting: Too many authentication failures for .+? \\[preauth\\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \\[preauth\\]$']
['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)Connection from <HOST> port \\d+<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \\[preauth\\]$']
['set', 'sshd-ddos', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd-ddos', 'addaction', 'iptables-multiport']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'name', 'sshd-ddos']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'sshd-ddos', 'action', 'iptables-multiport', 'port', '9999']
['set', 'sshd-ddos', 'addaction', 'sendmail-whois-lines']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip>:\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep \'[^0-9]<ip>[^0-9]\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionunban', '']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actioncheck', '']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'name', 'sshd-ddos']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'dest', 'django@nausch.org']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/secure']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
['start', 'sshd-ddos']

Weiteres Beispiel: Mit dem Aufruf folgender Zeile, kann man einfach den Loglevel verändern:

 $ fail2ban-client set loglevel DEBUG
 Current logging level is 'DEBUG'

So kann jede einzelne Definition aus den Konfigurationsdateien überschrieben werden. Ein erneuter aufruf von fail2ban -d liest dann wieder Konfigurationsdateien ein!

Auf zwei Kommandos von fail2ban wollen wir noch kurz ausführlicher eingehen.

  1. fail2ban-client start
    Als erstes wird der fail2ban-server gestartet; der fail2ban-client wartet dann bis die Kommunikation mit dem Server über den UNIX-SOCKET steht. Sobald dieser Kommunikationskanal steht, liest fail2ban-client die Konfigurationsdateien ein, parst diese und schockt das Ergebnis als Steuerbefehle zum fail2ban-server.
  2. fail2ban-client reload
    Der fail2ban-client weist als erstes dden fail2ban-server an, alle jails zu stoppen. Anschließend werden die Konfigurationsdateien eingelesen, verarbeitet und das Ergebnis als Steuerbefehle zum fail2ban-server gesendet. Somit kann sehr leicht und einfach die Konfiguration neu geladen werden, ohne den Daemon neu durchstarten zu müssen!
    Dies ist auch sehr nützlich beim Debuggen des Servers. So ist es möglich, den Server mit fail2ban-server -f in einem Terminal zu starten und in einem weiteren Terminal die Konfiguration mit fail2ban-client reload einzulesen. Somit hat man auf dem ersten terminal, die Ausgaben des fail2ban-server und auf dem zweiten die des fail2ban-client.

Ruf man fail2ban-client status [jail] auf, wird der Status des betrffenden jail ausgegeben.

 # fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:	2
|  |- Total failed:	41
|  `- File list:	/var/log/maillog
`- Actions
   |- Currently banned:	1
   |- Total banned:	3
   `- Banned IP list:	203.195.219.103

Auf Seiten des Paketfilters iptables kann man dann die erfogreiche Sperrung der gelisteten IP-Adresse einsehen:

 # iptables -nvL
Chain f2b-postfix-sasl (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   39  1972 REJECT     all  --  *      *       203.195.219.103      0.0.0.0/0           reject-with icmp-port-unreachable 
50498   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Ohne Angabe eines einzelnen jail wird der globale Status des Server ausgegeben.

 # fail2ban-client status 
Status
|- Number of jail:	2
`- Jail list:	postfix-sasl, sshd-ddos

Nachfolgend sind alle Befehle des fail2ban-client aufgelistet.

 # fail2ban-client --help
Command:
                                             BASIC
    start                                    starts the server and the jails
    reload                                   reloads the configuration
    reload <JAIL>                            reloads the jail <JAIL>
    stop                                     stops all jails and terminate the
                                             server
    status                                   gets the current status of the
                                             server
    ping                                     tests if the server is alive
    help                                     return this output

                                             LOGGING
    set loglevel <LEVEL>                     sets logging level to <LEVEL>.
                                             Levels: CRITICAL, ERROR, WARNING,
                                             NOTICE, INFO, DEBUG
    get loglevel                             gets the logging level
    set logtarget <TARGET>                   sets logging target to <TARGET>.
                                             Can be STDOUT, STDERR, SYSLOG or a
                                             file
    get logtarget                            gets logging target
    flushlogs                                flushes the logtarget if a file
                                             and reopens it. For log rotation.

                                             DATABASE
    set dbfile <FILE>                        set the location of fail2ban
                                             persistent datastore. Set to
                                             "None" to disable
    get dbfile                               get the location of fail2ban
                                             persistent datastore
    set dbpurgeage <SECONDS>                 sets the max age in <SECONDS> that
                                             history of bans will be kept
    get dbpurgeage                           gets the max age in seconds that
                                             history of bans will be kept

                                             JAIL CONTROL
    add <JAIL> <BACKEND>                     creates <JAIL> using <BACKEND>
    start <JAIL>                             starts the jail <JAIL>
    stop <JAIL>                              stops the jail <JAIL>. The jail is
                                             removed
    status <JAIL>                            gets the current status of <JAIL>

                                             JAIL CONFIGURATION
    set <JAIL> idle on|off                   sets the idle state of <JAIL>
    set <JAIL> addignoreip <IP>              adds <IP> to the ignore list of
                                             <JAIL>
    set <JAIL> delignoreip <IP>              removes <IP> from the ignore list
                                             of <JAIL>
    set <JAIL> addlogpath <FILE> ['tail']    adds <FILE> to the monitoring list
                                             of <JAIL>, optionally starting at
                                             the 'tail' of the file (default
                                             'head').
    set <JAIL> dellogpath <FILE>             removes <FILE> from the monitoring
                                             list of <JAIL>
    set <JAIL> logencoding <ENCODING>        sets the <ENCODING> of the log
                                             files for <JAIL>
    set <JAIL> addjournalmatch <MATCH>       adds <MATCH> to the journal filter
                                             of <JAIL>
    set <JAIL> deljournalmatch <MATCH>       removes <MATCH> from the journal
                                             filter of <JAIL>
    set <JAIL> addfailregex <REGEX>          adds the regular expression
                                             <REGEX> which must match failures
                                             for <JAIL>
    set <JAIL> delfailregex <INDEX>          removes the regular expression at
                                             <INDEX> for failregex
    set <JAIL> ignorecommand <VALUE>         sets ignorecommand of <JAIL>
    set <JAIL> addignoreregex <REGEX>        adds the regular expression
                                             <REGEX> which should match pattern
                                             to exclude for <JAIL>
    set <JAIL> delignoreregex <INDEX>        removes the regular expression at
                                             <INDEX> for ignoreregex
    set <JAIL> findtime <TIME>               sets the number of seconds <TIME>
                                             for which the filter will look
                                             back for <JAIL>
    set <JAIL> bantime <TIME>                sets the number of seconds <TIME>
                                             a host will be banned for <JAIL>
    set <JAIL> datepattern <PATTERN>         sets the <PATTERN> used to match
                                             date/times for <JAIL>
    set <JAIL> usedns <VALUE>                sets the usedns mode for <JAIL>
    set <JAIL> banip <IP>                    manually Ban <IP> for <JAIL>
    set <JAIL> unbanip <IP>                  manually Unban <IP> in <JAIL>
    set <JAIL> maxretry <RETRY>              sets the number of failures
                                             <RETRY> before banning the host
                                             for <JAIL>
    set <JAIL> maxlines <LINES>              sets the number of <LINES> to
                                             buffer for regex search for <JAIL>
    set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>]
                                             adds a new action named <NAME> for
                                             <JAIL>. Optionally for a Python
                                             based action, a <PYTHONFILE> and
                                             <JSONKWARGS> can be specified,
                                             else will be a Command Action
    set <JAIL> delaction <ACT>               removes the action <ACT> from
                                             <JAIL>

                                             COMMAND ACTION CONFIGURATION
    set <JAIL> action <ACT> actionstart <CMD>
                                             sets the start command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the
                                             action <ACT> for <JAIL>
    set <JAIL> action <ACT> actioncheck <CMD>
                                             sets the check command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionban <CMD>  sets the ban command <CMD> of the
                                             action <ACT> for <JAIL>
    set <JAIL> action <ACT> actionunban <CMD>
                                             sets the unban command <CMD> of
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> timeout <TIMEOUT>
                                             sets <TIMEOUT> as the command
                                             timeout in seconds for the action
                                             <ACT> for <JAIL>

                                             GENERAL ACTION CONFIGURATION
    set <JAIL> action <ACT> <PROPERTY> <VALUE>
                                             sets the <VALUE> of <PROPERTY> for
                                             the action <ACT> for <JAIL>
    set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>]
                                             calls the <METHOD> with
                                             <JSONKWARGS> for the action <ACT>
                                             for <JAIL>

                                             JAIL INFORMATION
    get <JAIL> logpath                       gets the list of the monitored
                                             files for <JAIL>
    get <JAIL> logencoding                   gets the encoding of the log files
                                             for <JAIL>
    get <JAIL> journalmatch                  gets the journal filter match for
                                             <JAIL>
    get <JAIL> ignoreip                      gets the list of ignored IP
                                             addresses for <JAIL>
    get <JAIL> ignorecommand                 gets ignorecommand of <JAIL>
    get <JAIL> failregex                     gets the list of regular
                                             expressions which matches the
                                             failures for <JAIL>
    get <JAIL> ignoreregex                   gets the list of regular
                                             expressions which matches patterns
                                             to ignore for <JAIL>
    get <JAIL> findtime                      gets the time for which the filter
                                             will look back for failures for
                                             <JAIL>
    get <JAIL> bantime                       gets the time a host is banned for
                                             <JAIL>
    get <JAIL> datepattern                   gets the patern used to match
                                             date/times for <JAIL>
    get <JAIL> usedns                        gets the usedns setting for <JAIL>
    get <JAIL> maxretry                      gets the number of failures
                                             allowed for <JAIL>
    get <JAIL> maxlines                      gets the number of lines to buffer
                                             for <JAIL>
    get <JAIL> actions                       gets a list of actions for <JAIL>

                                             COMMAND ACTION INFORMATION
    get <JAIL> action <ACT> actionstart      gets the start command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionstop       gets the stop command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actioncheck      gets the check command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionban        gets the ban command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> actionunban      gets the unban command for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> timeout          gets the command timeout in
                                             seconds for the action <ACT> for
                                             <JAIL>

                                             GENERAL ACTION INFORMATION
    get <JAIL> actionproperties <ACT>        gets a list of properties for the
                                             action <ACT> for <JAIL>
    get <JAIL> actionmethods <ACT>           gets a list of methods for the
                                             action <ACT> for <JAIL>
    get <JAIL> action <ACT> <PROPERTY>       gets the value of <PROPERTY> for
                                             the action <ACT> for <JAIL>

Report bugs to https://github.com/fail2ban/fail2ban/issues

Weitere nützliche Informationen findet man auf der manpage von fail2ban-client.

FAIL2BAN-CLIENT(1)               User Commands              FAIL2BAN-CLIENT(1)

NAME
       fail2ban-client - configure and control the server

SYNOPSIS
       fail2ban-client [OPTIONS] <COMMAND>

DESCRIPTION
       Fail2Ban  v0.9.0  reads  log  file  that  contains  password failure report and bans the corresponding IP
       addresses using firewall rules.

OPTIONS
       -c <DIR>
              configuration directory

       -s <FILE>
              socket path

       -p <FILE>
              pidfile path

       -d     dump configuration. For debugging

       -i     interactive mode

       -v     increase verbosity

       -q     decrease verbosity

       -x     force execution of the server (remove socket file)

       -h, --help
              display this help message

       -V, --version
              print the version

COMMAND
              BASIC

       start  starts the server and the jails

       reload reloads the configuration

       reload <JAIL>
              reloads the jail <JAIL>

       stop   stops all jails and terminate the server

       status gets the current status of the server

       ping   tests if the server is alive

       help   return this output

              LOGGING

       set loglevel <LEVEL>
              sets logging level to <LEVEL>.  Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG

       get loglevel
              gets the logging level

       set logtarget <TARGET>
              sets logging target to <TARGET>.  Can be STDOUT, STDERR, SYSLOG or a file

       get logtarget
              gets logging target

       flushlogs
              flushes the logtarget if a file and reopens it. For log rotation.

              DATABASE

       set dbfile <FILE>
              set the location of fail2ban persistent datastore. Set to "None" to disable

       get dbfile
              get the location of fail2ban persistent datastore

       set dbpurgeage <SECONDS>
              sets the max age in <SECONDS> that history of bans will be kept

       get dbpurgeage
              gets the max age in seconds that history of bans will be kept

              JAIL CONTROL

       add <JAIL> <BACKEND>
              creates <JAIL> using <BACKEND>

       start <JAIL>
              starts the jail <JAIL>

       stop <JAIL>
              stops the jail <JAIL>. The jail is removed

       status <JAIL>
              gets the current status of <JAIL>

              JAIL CONFIGURATION

       set <JAIL> idle on|off
              sets the idle state of <JAIL>

       set <JAIL> addignoreip <IP>
              adds <IP> to the ignore list of <JAIL>

       set <JAIL> delignoreip <IP>
              removes <IP> from the ignore list of <JAIL>

       set <JAIL> addlogpath <FILE> [’tail’]
              adds <FILE> to the monitoring list of <JAIL>, optionally  starting  at  the  ’tail’  of  the  file
              (default ’head’).

       set <JAIL> dellogpath <FILE>
              removes <FILE> from the monitoring list of <JAIL>

       set <JAIL> logencoding <ENCODING>
              sets the <ENCODING> of the log files for <JAIL>

       set <JAIL> addjournalmatch <MATCH>
              adds <MATCH> to the journal filter of <JAIL>

       set <JAIL> deljournalmatch <MATCH>
              removes <MATCH> from the journal filter of <JAIL>

       set <JAIL> addfailregex <REGEX>
              adds the regular expression <REGEX> which must match failures for <JAIL>

       set <JAIL> delfailregex <INDEX>
              removes the regular expression at <INDEX> for failregex

       set <JAIL> ignorecommand <VALUE>
              sets ignorecommand of <JAIL>

       set <JAIL> addignoreregex <REGEX>
              adds the regular expression <REGEX> which should match pattern to exclude for <JAIL>

       set <JAIL> delignoreregex <INDEX>
              removes the regular expression at <INDEX> for ignoreregex

       set <JAIL> findtime <TIME>
              sets the number of seconds <TIME> for which the filter will look back for <JAIL>

       set <JAIL> bantime <TIME>
              sets the number of seconds <TIME> a host will be banned for <JAIL>

       set <JAIL> datepattern <PATTERN>
              sets the <PATTERN> used to match date/times for <JAIL>

       set <JAIL> usedns <VALUE>
              sets the usedns mode for <JAIL>

       set <JAIL> banip <IP>
              manually Ban <IP> for <JAIL>

       set <JAIL> unbanip <IP>
              manually Unban <IP> in <JAIL>

       set <JAIL> maxretry <RETRY>
              sets the number of failures <RETRY> before banning the host for <JAIL>

       set <JAIL> maxlines <LINES>
              sets the number of <LINES> to buffer for regex search for <JAIL>

              set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>]

              adds  a  new  action named <NAME> for <JAIL>. Optionally for a Python based action, a <PYTHONFILE>
              and <JSONKWARGS> can be specified, else will be a Command Action

       set <JAIL> delaction <ACT>
              removes the action <ACT> from <JAIL>

              COMMAND ACTION CONFIGURATION

              set <JAIL> action <ACT> actionstart <CMD>

              sets the start command <CMD> of the action <ACT> for <JAIL>

              set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the

              action <ACT> for <JAIL>

              set <JAIL> action <ACT> actioncheck <CMD>

              sets the check command <CMD> of the action <ACT> for <JAIL>

       set <JAIL> action <ACT> actionban <CMD>
              sets the ban command <CMD> of the action <ACT> for <JAIL>

              set <JAIL> action <ACT> actionunban <CMD>

              sets the unban command <CMD> of the action <ACT> for <JAIL>

              set <JAIL> action <ACT> timeout <TIMEOUT>

              sets <TIMEOUT> as the command timeout in seconds for the action <ACT> for <JAIL>

              GENERAL ACTION CONFIGURATION

              set <JAIL> action <ACT> <PROPERTY> <VALUE>

              sets the <VALUE> of <PROPERTY> for the action <ACT> for <JAIL>

              set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>]

              calls the <METHOD> with <JSONKWARGS> for the action <ACT> for <JAIL>

              JAIL INFORMATION

       get <JAIL> logpath
              gets the list of the monitored files for <JAIL>

       get <JAIL> logencoding
              gets the encoding of the log files for <JAIL>

       get <JAIL> journalmatch
              gets the journal filter match for <JAIL>

       get <JAIL> ignoreip
              gets the list of ignored IP addresses for <JAIL>

       get <JAIL> ignorecommand
              gets ignorecommand of <JAIL>

       get <JAIL> failregex
              gets the list of regular expressions which matches the failures for <JAIL>

       get <JAIL> ignoreregex
              gets the list of regular expressions which matches patterns to ignore for <JAIL>

       get <JAIL> findtime
              gets the time for which the filter will look back for failures for <JAIL>

       get <JAIL> bantime
              gets the time a host is banned for <JAIL>

       get <JAIL> datepattern
              gets the patern used to match date/times for <JAIL>

       get <JAIL> usedns
              gets the usedns setting for <JAIL>

       get <JAIL> maxretry
              gets the number of failures allowed for <JAIL>

       get <JAIL> maxlines
              gets the number of lines to buffer for <JAIL>

       get <JAIL> actions
              gets a list of actions for <JAIL>

              COMMAND ACTION INFORMATION

       get <JAIL> action <ACT> actionstart
              gets the start command for the action <ACT> for <JAIL>

       get <JAIL> action <ACT> actionstop
              gets the stop command for the action <ACT> for <JAIL>

       get <JAIL> action <ACT> actioncheck
              gets the check command for the action <ACT> for <JAIL>

       get <JAIL> action <ACT> actionban
              gets the unban command for the action <ACT> for <JAIL>

       get <JAIL> action <ACT> timeout
              gets the command timeout in seconds for the action <ACT> for <JAIL>

              GENERAL ACTION INFORMATION

       get <JAIL> actionproperties <ACT>
              gets a list of properties for the action <ACT> for <JAIL>

       get <JAIL> actionmethods <ACT>
              gets a list of methods for the action <ACT> for <JAIL>

       get <JAIL> action <ACT> <PROPERTY>
              gets the value of <PROPERTY> for the action <ACT> for <JAIL>

FILES
       /etc/fail2ban/*

AUTHOR
       Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.   Many  contributions  by  Yaroslav  O.  Halchenko
       <debian@onerussian.com>.

REPORTING BUGS
       Report bugs to https://github.com/fail2ban/fail2ban/issues

COPYRIGHT
       Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
       Copyright  of  modifications  held  by  their  respective authors.  Licensed under the GNU General Public
       License v2 (GPL).

SEE ALSO
       fail2ban-server(1) jail.conf(5)

fail2ban-client v0.9.0            March 2014                FAIL2BAN-CLIENT(1)

fail2ban-regex

Mit will fail2ban-regex hat man ein Werkzeug in der Hand um einzelne regex-Ausdrücke in Verbindung mit (s)einen Logdateien testen kann.

Beispiel:

  • einzelne Logzeile:
    Zum Bewerten der folgenden Logzeile
    Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: warning: unknown[203.195.219.103]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

    ist diese in Anführungszeichen zu setzen!

    # fail2ban-regex "Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: warning: unknown[203.195.219.103]: SASL LOGIN authentication failed: UGFzc3dvcmQ6" /etc/fail2ban/filter.d/postfix-sasl.conf
    Running tests
    =============
    
    Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
    Use      single line : Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: wa...
    
    
    Results
    =======
    
    Failregex: 1 total
    |-  #) [# of hits] regular expression
    |   1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 1 lines, 0 ignored, 1 matched, 0 missed
    
    
    Running tests
    =============
    
    Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
    Use      single line : Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: wa...
    
    
    Results
    =======
    
    Failregex: 1 total
    |-  #) [# of hits] regular expression
    |   1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 1 lines, 0 ignored, 1 matched, 0 missed
  • ganze Logdatei:
    Zum Bewerten einer ganzen Logdatei, wie z.B. /var/log/maillog verwendet man folgenden Aufruf.
    # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
    Running tests
    =============
    
    Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
    Use         log file : /var/log/maillog
    Use         encoding : UTF-8
    
    
    Results
    =======
    
    Failregex: 43 total
    |-  #) [# of hits] regular expression
    |   1) [43] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [29628] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 29628 lines, 0 ignored, 43 matched, 29585 missed
    Missed line(s): too many to print.  Use --print-all-missed to print all 29585 lines

Weiterführende Informationen findet man in der man-üage von fail2ban-regex.

FAIL2BAN-REGEX(1)                User Commands               FAIL2BAN-REGEX(1)

NAME
       fail2ban-regex - test Fail2ban "failregex" option

SYNOPSIS
       fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

DESCRIPTION
       Fail2Ban   reads  log  file that contains password failure report and bans the corresponding IP addresses
       using firewall rules.

       This tools can test regular expressions for "fail2ban".

   LOG:
       string a string representing a log line

       filename
              path to a log file (/var/log/auth.log)

       "systemd-journal"
              search systemd journal (systemd-python required)

   REGEX:
       string a string representing a ’failregex’

       filename
              path to a filter file (filter.d/sshd.conf)

   IGNOREREGEX:
       string a string representing an ’ignoreregex’

       filename
              path to a filter file (filter.d/sshd.conf)

OPTIONS
       --version
              show program’s version number and exit
       -h, --help
              show this help message and exit

       -d DATEPATTERN, --datepattern=DATEPATTERN
              set custom pattern used to match date/times

       -e ENCODING, --encoding=ENCODING
              File encoding. Default: system locale

       -L MAXLINES, --maxlines=MAXLINES
              maxlines for multi-line regex

       -m JOURNALMATCH, --journalmatch=JOURNALMATCH
              journalctl style matches overriding filter file.  "systemd-journal" only

       -l LOG_LEVEL, --log-level=LOG_LEVEL
              Log level for the Fail2Ban logger to use

       -v, --verbose
              Be verbose in output

       -D, --debuggex
              Produce debuggex.com urls for debugging there

       --print-no-missed
              Do not print any missed lines

       --print-no-ignored
              Do not print any ignored lines

       --print-all-missed
              Print all missed lines, no matter how many

       --print-all-ignored
              Print all ignored lines, no matter how many

       -t, --log-traceback
              Enrich log-messages with compressed tracebacks

       --full-traceback
              Either to make the tracebacks full, not compressed (as by default)

AUTHOR
       Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.  Many contributions by Yaroslav O.  Halchenko  and
       Steven Hiscocks.

REPORTING BUGS
       Report bugs to https://github.com/fail2ban/fail2ban/issues

COPYRIGHT
       Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
       Copyright  of  modifications  held  by  their  respective authors.  Licensed under the GNU General Public
       License v2 (GPL).

SEE ALSO
       fail2ban-client(1) fail2ban-server(1)

fail2ban-regex 0.9.0              March 2014                 FAIL2BAN-REGEX(1)

fail2ban-testcases

Der Form halber gehen wir noch kurz auf die Möglichkeit ein, den Programmcode mit Hilfe von fail2ban-testcases zu testen. Im normalen Betrieb wird diese Option i.d.R. nicht verwendet und wird z.B. beim Bau des RPM-Paketes aufgerufen. Einen sehr ausführlichen Bericht bekommt ein entwickler z.B. bei folgendem Aufruf.

 # fail2ban-testcases --no-network --log-level=heavydebug

Dem Normalsterblichen wird sich sicherlich keine tiefergehnde information offenbaren. :-P

Die einzelnen Optionen von fail2ban-testcases kann man mit Aufruf der Option --help abrufen.

 # fail2ban-testcases --help
Usage: /usr/bin/fail2ban-testcases [OPTIONS] [regexps]
Script to run Fail2Ban tests battery


Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -l LOG_LEVEL, --log-level=LOG_LEVEL
                        Log level for the logger to use during running tests
  -n, --no-network      Do not run tests that require the network
  -t, --log-traceback   Enrich log-messages with compressed tracebacks
  --full-traceback      Either to make the tracebacks full, not compressed (as
                        by default)
 $ fail2ban-testcases
Fail2ban 0.9.0 test suite. Python 2.7.5 (default, Jun 17 2014, 18:11:42) [GCC 4.8.2 20140120 (Red Hat 4.8.2-16)]. Please wait...
.....................................................................................s.....................................................................................................................................................
----------------------------------------------------------------------
Ran 235 tests in 91.004s

OK (skipped=1)

Bei der Konfiguration von fail2ban wird von Seiten der Entwickler empfohlen, nicht die defaultconfig-Dateien zu bearbeiten, sondern sich lokale Kopieen zu erzeugen. Der Maintainer des RPMs hat dies schon berücksichtigt und sowohl von der fail2ban.conf eine fail2ban.local und von der jail.conf eine jail.local angelegt.

allg. Einstellungen

Der Standardpfad für die Konfiguration von fail2ban ist /etc/fail2ban. Mit der Option -c beim straten des fail2ban-client kann dieser Pfad gesetzt werde. Bei einer typischen Konfiguration sieht so aus:

/etc/fail2ban/
├── action.d
│   ├── apf.conf
│   ├── badips.conf
│   ├── badips.py
│   ├── blocklist_de.conf
│   ├── dshield.conf
│   ├── dummy.conf
│   ├── firewallcmd-ipset.conf
│   ├── firewallcmd-new.conf
│   ├── iptables-allports.conf
│   ├── iptables-blocktype.conf
│   ├── iptables.conf
│   ├── iptables-ipset-proto4.conf
│   ├── iptables-ipset-proto6-allports.conf
│   ├── iptables-ipset-proto6.conf
│   ├── iptables-multiport.conf
│   ├── iptables-multiport-log.conf
│   ├── iptables-new.conf
│   ├── iptables-xt_recent-echo.conf
│   ├── mail.conf
│   ├── mynetwatchman.conf
│   ├── route.conf
│   ├── sendmail-buffered.conf
│   ├── sendmail-common.conf
│   ├── sendmail.conf
│   ├── sendmail-whois.conf
│   ├── sendmail-whois-ipjailmatches.conf
│   ├── sendmail-whois-ipmatches.conf
│   ├── sendmail-whois-lines.conf
│   ├── sendmail-whois-matches.conf
│   ├── smtp.py
│   ├── smtp.pyc
│   ├── smtp.pyo
│   └── xarf-login-attack.conf
├── fail2ban.conf
├── fail2ban.d
├── fail2ban.local
├── filter.d
│   ├── 3proxy.conf
│   ├── apache-auth.conf
│   ├── apache-badbots.conf
│   ├── apache-botsearch.conf
│   ├── apache-common.conf
│   ├── apache-modsecurity.conf
│   ├── apache-nohome.conf
│   ├── apache-noscript.conf
│   ├── apache-overflows.conf
│   ├── assp.conf
│   ├── asterisk.conf
│   ├── common.conf
│   ├── counter-strike.conf
│   ├── courier-auth.conf
│   ├── courier-smtp.conf
│   ├── cyrus-imap.conf
│   ├── dovecot.conf
│   ├── dropbear.conf
│   ├── ejabberd-auth.conf
│   ├── exim-common.conf
│   ├── exim.conf
│   ├── exim-spam.conf
│   ├── freeswitch.conf
│   ├── groupoffice.conf
│   ├── gssftpd.conf
│   ├── guacamole.conf
│   ├── horde.conf
│   ├── kerio.conf
│   ├── lighttpd-auth.conf
│   ├── mysqld-auth.conf
│   ├── nagios.conf
│   ├── named-refused.conf
│   ├── nginx-http-auth.conf
│   ├── nsd.conf
│   ├── openwebmail.conf
│   ├── pam-generic.conf
│   ├── perdition.conf
│   ├── php-url-fopen.conf
│   ├── postfix.conf
│   ├── postfix-sasl.conf
│   ├── proftpd.conf
│   ├── pure-ftpd.conf
│   ├── qmail.conf
│   ├── recidive.conf
│   ├── roundcube-auth.conf
│   ├── selinux-common.conf
│   ├── selinux-ssh.conf
│   ├── sendmail-auth.conf
│   ├── sendmail-reject.conf
│   ├── sieve.conf
│   ├── sogo-auth.conf
│   ├── solid-pop3d.conf
│   ├── squid.conf
│   ├── squirrelmail.conf
│   ├── sshd.conf
│   ├── sshd-ddos.conf
│   ├── stunnel.conf
│   ├── suhosin.conf
│   ├── tine20.conf
│   ├── uwimap-auth.conf
│   ├── vsftpd.conf
│   ├── webmin-auth.conf
│   ├── wuftpd.conf
│   └── xinetd-fail.conf
├── jail.conf
├── jail.d
├── jail.local
├── jail.local.rpmnew
├── paths-centos.conf
└── paths-common.conf

4 directories, 104 files

In der Konfigurationsdatei fail2ban.local werden folgende Parameter definiert:

Option Beschreibung
loglevel Definition des loglevels bei der Ausgabe.
logtarget Definition des Logziels, also z.B. STDERR (Konsole), SYSLOG oder /Pfad/Datei zum Schreiben in ein eigenes Logfile.
socket Definition des UNIX-Sockets über den fail2ban-client mit dem fail2ban-server kommuniziert.
pidfile Definition des PID-Files, in dem die Prozess ID des fail2ban-servers gespeichert wird.
dbfile Definition des Sqlite3-Datenbankfiles, in dem fail2ban die persistente Daten speichern soll.
dbpurgeage Definition der Zeitspanne nach dem alte Daten aus der Datenbank gelöscht werden sollen. (default 86.400 Sekunden = 24 Stunden)
 # cat /etc/fail2ban/fail2ban.local
/etc/fail2ban/fail2ban.local
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = DEBUG
#
 
[Definition]
 
# Option: loglevel
# Notes.: Set the log level output.
#         CRITICAL
#         ERROR
#         WARNING
#         NOTICE
#         INFO
#         DEBUG
# Values: [ LEVEL ]  Default: ERROR
#
loglevel = INFO
 
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log
 
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
 
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid
 
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory 
#         and data is lost once fail2ban is stops.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
 
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400

Jails

Die wichtigste Konfigurationsdatei ist vermutlich jail.conf bzw. jail.local, in der die einzelnen jails definiert werden. In der Datei enthält bereits einige Musterbeispiele vorhanden, die man bei Bedarf einfach aktivieren kann.

Am Anfang der jail.local wird in der Section [INCLUDES] die Datei paths-centos.conf eingebunden, die die wichtigsten CentOS spezifischen Definitionen (Logdateipfade) enthält.

 # vim /etc/fail2ban/paths-centos.conf
etc/fail2ban/paths-centos.conf
# CentOS
 
[INCLUDES]
 
before = paths-common.conf
 
after  = paths-overrides.local
 
 
[DEFAULT]
 
syslog_mail = /var/log/maillog
 
syslog_mail_warn = /var/log/maillog
 
syslog_authpriv = /var/log/secure
 
syslog_user =  /var/log/messages
 
syslog_ftp  = /var/log/messages
 
syslog_daemon  = /var/log/messages
 
syslog_local0  = /var/log/messages
 
 
apache_error_log = /var/log/httpd/*error_log
 
apache_access_log = /var/log/httpd/*access_log
 
# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous)
# proftpd_log = /var/log/proftpd/auth.log
# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
 
mysql_log = /var/lib/mysql/mysqld.log

Als nächstes finden wir die Definition der Defaultwerte in der Section [DEFAULT] in der Konfigurationsdatei jail.local.

 # vim /etc/fail2ban/jail.local
...
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
#
# MISCELLANEOUS OPTIONS
#
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
 
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
 
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
 
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto
 
# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn
 
# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto
 
# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
 
 
# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s
 
...

Nachfolgende Werte werden vorgegeben und können entweder als neuen Standardwert gesetzt, oder in den einzelnen jails überschrieben werden.

Option Standardwert Beschreibung
ignoreip 127.0.0.1/8 Liste von IP-Adressen oder Netzwerken (mit Kommatas getrennt), die von einem ban, also vom Sperren ausgenommen werden sollen.
ignorecommand Externer Befehl der bei der Bewertung negativ besetzt werden soll
bantime 600 Zeitspanne in Sekunden, die ein Host gesperrt werden soll
findtime 600 Zeitspanne in Sekunden, in denen das erneute Auffinden einer IP-Adresse überwacht bzw. gewertet wird
maxretry 5 Maximale Anzahl, die definiert, wie oft eine IP-Adresse aufgefunden werden muss, damit die action ausgeführt, also. z.B. ein Host gesperrt, werden soll.
backend auto Definition des backends dass zur Überwachung der Logdatei in einem jail verwendet werden soll.
usedns warn Festlegung, ob Hostnamen in Logdateien vertraut oder ein NDS-Lokkup gemacht werden soll, oder ob Hostnamen in Logfiles ignoriert werden sollen.
logencoding auto Definition des Zeichensatzes/Code-Tabelle, die beim Überwachen des Logfiles verwendet werden soll.
enabled false Festlegung, ob per se, alle jails in der Konfigurationsdatei aktiviert werden sollen.
filter %(name)s Festlegung der filter-Namen, die bei der jail-Konfiguration verwendet werden sollen. Als Standard wird der der Name des jail beim zugehörigen filter verwendet.

Nachdem wir uns die grundlegenden Konfigurationsparameter angesehen haben, betrachten wir nun an Hand des nachfolgenden Beispiels, wie eine jail-Definition genauer ansehen kann.

[ssh-iptables]
#enabled  = false
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#          mail-whois[name=SSH, dest=yourmail@mail.com]
#logpath  = /var/log/sshd.log
logpath  = /var/log/secure
maxretry = 5

Mit diesen Einstellungen wird folgendes festgelegt:

  1. Der Definitionsbereich [ssh-iptables] wird aktiviert.
  2. Der Filter sshd.conf im Unterverzeichnis filter.d wird verwendet.
  3. Die Aktion iptables.conf aus dem Unterverzeichnis action.d wird ausgeführt, sobald der Filter oft genug anschlägt. Die zweite Aktion mail-whois wird nicht ausgeführt, da diese auskommentiert ist.
  4. Die Logdatei /var/log/secure wird überwacht.
  5. Wird 5x der betreffende logeintrag gefunden, werden die definierten action ausgeführt.

In einem jail werden gewöhnlich filter und action kombiniert. Je jail ist nur ein filter erlaubt; jedoch können mehrere action je jail definiert werden. So kann man z.B. bei einem SSH-Einbruchsversuch, erst mit Hilfe des iptables-Paketfilters die Quell-IP sperren und dann z.B. via whois Informationen des beanstandeten Hosts erfragen und die Daten dann per eMail an den verantwortlichen Admin senden. Genauso könnte man „nur“ eine eMail versenden, sobald die Seite noaccess.html auf dem Webserver angesprochen wird.

Fail2ban ist nicht nur auf SSH beschränkt. Fail2ban liefert viele Beispiele an filter undaction, die man als Vorlage verwenden kann, bzw. die man aktivieren und erweitern kann. Im Unterverzeichnis filter.d sind viele Filter vordefiniert, die man dann einfach in der Konfigurationsdatei jail.local aktivieren kann.

Der Abschnitt [ssh-ddos] kann hier als Beispiel dienen, wie man einen filter, einfach und schnell aktivieren kann. Die Variable logpath ist in jedem Fall, der eigenen Umgebung anzupassen:

[ssh-ddos]

enabled = true
port    = ssh,sftp
filter  = sshd-ddos
logpath  = /var/log/messages
maxretry = 2

Actions

Im Konfigurationsbereich ACTIONS erfolt die Festlegung systemweiter Parameter, die später bei der Definition der einzelnen jails als Variablen verwendet werden, bzw. auch dort überschrieben werden, können.

Werfen wir also einen Blick in diesen Bereich der Konfigurationsdatei jail.local*.

 # vim /etc/fail2ban/jail.local
...
 
#
# ACTIONS
#
 
# Some options used for actions
 
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
# Django : 2014-06-12
# default: destemail = root@localhost
destemail = django@nausch.org
 
# Sender email address used solely for some actions
# Django : 2014-06-12
# default: sender = root@localhost
sender = fail2ban@vml000010.dmz.nausch.org
 
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
 
# Default protocol
protocol = tcp
 
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
 
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
 
#
# Action shortcuts. To be used to define action parameter
 
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
 
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
 
 
# Report block via blocklist.de fail2ban reporting service API
# 
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
 
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
 
...

Folgende Variablen und Festlegungen werden in dem vorgenannten Abschnitt definiert.

Option Wert Beschreibung
destemail django@nausch.org Empfänger-Adresse an die etwaige Meldungen gesendet werden soll, in unserem Beispiel erhält django@nausch.org diese Nachrichten.
sender fail2ban@vml000010.dmz.nausch.org Absenderadresse der Status-eMails (mail from)
mta sendmail Binary, welches zum Verschicken der Statusnachrichten verwendet werden soll. Nicht verwechseln mit dem Mailserver „sendmail“!
protocol tcp Default Protokoll
chain INPUT Name der iptables-chain in die benötigte Portblockingdefinitionen eingefügt werden sollen
port 0:65535 Portbereich, der ggf. gesperrt werden soll.

Neben der Definition der Standardparameter werden noch ein paar wichtige action definiert, die wir später so bei den einzelnen jails leicht integrieren können.

  • banaction :
    Default banning action, also der Paketfilter, der zum Sperren von Hosts und Services verwendet wird.
    banaction = iptables-multiport
  • action_ :
    Dies ist die einfachste Variante bei den actions, denn es wir nur der verursachende Host gesperrt.
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  • action_mw :
    Bei dieser action wird der Verursacher gesperrt und dem bei destemail definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers geschickt.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
  • action_mwl :
    Bei dieser action wird der Verursacher gesperrt und dem bei destemail definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers und den fraglichen Logzeilen, bei dem der Filter angeschlagen hatte, geschickt.
    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
  • action_xarf :
    Bei dieser action wird der Verursacher gesperrt, sowie der Abuse-Adresxse aus dem whois-Daten des Verursachenden Host eine xarf eMail geschickt.

    Bei Verwendung dieser action wird auf die Anmerkungen in der action Definition xarf-login_attack verwiesen.

     # less /etc/fail2ban/action.d/xarf-login-attack.conf
    # Fail2Ban action for sending xarf Login-Attack messages to IP owner
    #
    # IMPORTANT: 
    # 
    # Emailing a IP owner of abuse is a serious complain. Make sure that it is
    # serious. Fail2ban developers and network owners recommend you only use this
    # action for:
    #   * The recidive where the IP has been banned multiple times
    #   * Where maxretry has been set quite high, beyond the normal user typing
    #     password incorrectly.
    #   * For filters that have a low likelyhood of receiving human errors
    #
    # DEPENDANCIES:
    #
    # This requires the dig command from bind-utils
    #
    # This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
    #
    # XARF is a specification for sending a formatted response
    # for non-messaging based abuse including:
    #
    # Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
    
    
    # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
    #
    # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
    # to the destemail.

    Also keinenfalls leichtfertig und unüberlegt diese action einsetzen!

    action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
  • action_blocklist_de :
    Melden des blockierten Hosts an via blocklist.de über deren Fail2ban-Reporting-Service-API.
    action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
  • action_badips :
    Bei dieser action wird der blockierte Host an badips.com gemeldet und als blacklist verwendet.
    action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
  • action :
    Definition der Default action. Dieser wert kann systemweit oder auch je einzelnem jail gesetzt werden.
    action = %(action_)s

Filters

Im Verzeichnis /etc/fail2ban/filter.d finden sich bereits vorgefertigte, für wirklich fast alle Anwendungsfälle praxistaugliche, Filterdefinitionen mit regular Expressions.

 # ll -alF /etc/fail2ban/filter.d/
total 264
drwxr-xr-x 2 root root 4096 Jun 17 17:47 ./
drwxr-xr-x 6 root root 4096 Jun 17 15:11 ../
-rw-r--r-- 1 root root  442 Mar 15 01:18 3proxy.conf
-rw-r--r-- 1 root root 3233 Mar 15 01:18 apache-auth.conf
-rw-r--r-- 1 root root 2736 Mar 15 01:18 apache-badbots.conf
-rw-r--r-- 1 root root 1537 Mar 15 01:18 apache-botsearch.conf
-rw-r--r-- 1 root root  813 Mar 15 01:18 apache-common.conf
-rw-r--r-- 1 root root  402 Mar 15 01:18 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 Mar 15 01:18 apache-nohome.conf
-rw-r--r-- 1 root root 1187 Mar 15 01:18 apache-noscript.conf
-rw-r--r-- 1 root root 2000 Mar 15 01:18 apache-overflows.conf
-rw-r--r-- 1 root root 1156 Mar 15 01:18 assp.conf
-rw-r--r-- 1 root root 2270 Mar 15 01:18 asterisk.conf
-rw-r--r-- 1 root root 1671 Mar 15 01:18 common.conf
-rw-r--r-- 1 root root  238 Mar 15 01:18 counter-strike.conf
-rw-r--r-- 1 root root  393 Mar 15 01:18 courier-auth.conf
-rw-r--r-- 1 root root  352 Mar 15 01:18 courier-smtp.conf
-rw-r--r-- 1 root root  418 Mar 15 01:18 cyrus-imap.conf
-rw-r--r-- 1 root root 1440 Mar 15 01:18 dovecot.conf
-rw-r--r-- 1 root root 1696 Mar 15 01:18 dropbear.conf
-rw-r--r-- 1 root root 1282 Mar 15 01:18 ejabberd-auth.conf
-rw-r--r-- 1 root root  403 Mar 15 01:18 exim-common.conf
-rw-r--r-- 1 root root 1349 Mar 15 01:18 exim.conf
-rw-r--r-- 1 root root 2158 Mar 15 01:18 exim-spam.conf
-rw-r--r-- 1 root root  942 Mar 15 01:18 freeswitch.conf
-rw-r--r-- 1 root root  223 Mar 15 01:18 groupoffice.conf
-rw-r--r-- 1 root root  322 Mar 15 01:18 gssftpd.conf
-rw-r--r-- 1 root root  512 Mar 15 01:18 guacamole.conf
-rw-r--r-- 1 root root  404 Mar 15 01:18 horde.conf
-rw-r--r-- 1 root root  466 Mar 15 01:18 kerio.conf
-rw-r--r-- 1 root root  323 Mar 15 01:18 lighttpd-auth.conf
-rw-r--r-- 1 root root  886 Mar 15 01:18 mysqld-auth.conf
-rw-r--r-- 1 root root  400 Mar 15 01:18 nagios.conf
-rw-r--r-- 1 root root 1579 Mar 15 01:18 named-refused.conf
-rw-r--r-- 1 root root  422 Mar 15 01:18 nginx-http-auth.conf
-rw-r--r-- 1 root root  701 Mar 15 01:18 nsd.conf
-rw-r--r-- 1 root root  495 Mar 15 01:18 openwebmail.conf
-rw-r--r-- 1 root root  808 Mar 15 01:18 pam-generic.conf
-rw-r--r-- 1 root root  568 Mar 15 01:18 perdition.conf
-rw-r--r-- 1 root root  834 Mar 15 01:18 php-url-fopen.conf
-rw-r--r-- 1 root root  745 Mar 15 01:18 postfix.conf
-rw-r--r-- 1 root root  312 Mar 15 01:18 postfix-sasl.conf
-rw-r--r-- 1 root root 1054 Mar 15 01:18 proftpd.conf
-rw-r--r-- 1 root root 1725 Mar 15 01:18 pure-ftpd.conf
-rw-r--r-- 1 root root  795 Mar 15 01:18 qmail.conf
-rw-r--r-- 1 root root 1276 Mar 15 01:18 recidive.conf
-rw-r--r-- 1 root root  890 Mar 15 01:18 roundcube-auth.conf
-rw-r--r-- 1 root root  517 Mar 15 01:18 selinux-common.conf
-rw-r--r-- 1 root root  570 Mar 15 01:18 selinux-ssh.conf
-rw-r--r-- 1 root root  330 Mar 15 01:18 sendmail-auth.conf
-rw-r--r-- 1 root root 2424 Mar 15 01:18 sendmail-reject.conf
-rw-r--r-- 1 root root  371 Mar 15 01:18 sieve.conf
-rw-r--r-- 1 root root  472 Mar 15 01:18 sogo-auth.conf
-rw-r--r-- 1 root root 1093 Mar 15 01:18 solid-pop3d.conf
-rw-r--r-- 1 root root  193 Mar 15 01:18 squid.conf
-rw-r--r-- 1 root root  185 Mar 15 01:18 squirrelmail.conf
-rw-r--r-- 1 root root 2779 Mar 15 01:18 sshd.conf
-rw-r--r-- 1 root root  761 Mar 15 01:18 sshd-ddos.conf
-rw-r--r-- 1 root root  348 Mar 15 01:18 stunnel.conf
-rw-r--r-- 1 root root  645 Mar 15 01:18 suhosin.conf
-rw-r--r-- 1 root root  821 Mar 15 01:18 tine20.conf
-rw-r--r-- 1 root root  374 Mar 15 01:18 uwimap-auth.conf
-rw-r--r-- 1 root root  621 Mar 15 01:18 vsftpd.conf
-rw-r--r-- 1 root root  444 Mar 15 01:18 webmin-auth.conf
-rw-r--r-- 1 root root  514 Mar 15 01:18 wuftpd.conf
-rw-r--r-- 1 root root  503 Mar 15 01:18 xinetd-fail.conf

Will oder muß man einen eigenen speziellen failregex Filter bauen, dann muss man dringend nachfolgende Regeln beachten. Man kann sich auch sehr schön an den vielen Beispielen orientieren, die dort aufgeführt sind.

  1. Ein failregex kann aus mehreren Zeilen bestehen, von denen dann jede eine einzelne Zeile der Protokolldatei als Übereinstimmung finden kann.
  2. In jeder Zeile einer failregex muss die Ip-Adresse bzw. der Hostname als (?P<host> … ) eingebunden werden (siehe Beispiel in der /etc/fail2ban/filter.d/common.conf). . Die sit eine Python spezifische Erweiterung, die, in diesem aufgezeigten Beispiel, der Variable <host> den Hostname bzw. die IP-Adresse des Angreifers zuweist. Somit ist die IP-Adresse des Angreifers bei jeder regex-Überprüfung bekannt. Andernfalls bricht fail2ban mit der Fehlermeldung „No 'host' group“ ab.
  3. Der Einfachheit halber kann man den vordefinierten tag <HOST> in den eigenen failregex-Definitionen verwenden. <HOST> ist ein alias für (?:::f{4,6}:)?(?P<host>\S+), was entweder einem Hostnamen oder einer IPv4-Adresse (ggf. in einer IPv6-Adresse eingebettet), repräsentiert.
  4. Im action script wird der tag <ip> mit der IP-Adresse des Hosts besetzt, die im tag<host> ermittelt wurde.
  5. Damit eine Log-Zeile von der eigen definierten failregex erfasst werden kann, müssen zwei Teile übereinstimmen. Dies ist am Anfang der Logzeile ein auswertbarer Zeitstempel bze. eine regex und der Rest der Zeile mit der eigentlichen failregex. Beginnt der failregex mit einem ^-Zeichen als Anker, dann markiert dieser Anker mitt ggf. folgenden Leerzeichgen der Rest der Zeile.
  6. Wird der Zeitstempel der Logzeile nicht erkannt, wird auch ein Treffer der failregex fehlschlagen! Daher wird empfohlen, jede eigene failregex-Definition ausführlich zu testen, ob der betreffende Zeotstempel auch erkannt wird. Im Fehlerfall hat man aktuell nur zwei Möglichkeiten. Entweder passt man die Zeitstempel im Logfile des betreffenden Daemon an, damit dieser von fail2ban erkannt wird. Im anderen Fall kann man einen Bugreport aufmachen und bitten, dieses besondere Zeitstempel in den nächsten Release von fail2ban aufzunehmen.

Baustelle

FIXME

# service fail2ban start Starting fail2ban: [ OK ]

# cat /var/log/fail2ban.log 2014-06-11 12:03:36,460 fail2ban.server.server[21260]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-06-11 12:03:36,462 fail2ban.server.database[21260]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-06-11 12:03:37,566 fail2ban.server.database[21260]: WARNING New database created. Version '2'

 # cat /var/log/fail2ban.log 
2014-06-11 12:37:51,938 fail2ban.server.server[23574]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
2014-06-11 12:37:51,940 fail2ban.server.database[23574]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2014-06-11 12:37:51,944 fail2ban.server.jail[23574]: INFO    Creating new jail 'sshd-ddos'
2014-06-11 12:37:51,944 fail2ban.server.jail[23574]: INFO    Jail 'sshd-ddos' uses poller
2014-06-11 12:37:52,006 fail2ban.server.filter[23574]: INFO    Set jail log file encoding to UTF-8
2014-06-11 12:37:52,006 fail2ban.server.jail[23574]: INFO    Initiated 'polling' backend
2014-06-11 12:37:52,200 fail2ban.server.filter[23574]: INFO    Added logfile = /var/log/secure
2014-06-11 12:37:52,201 fail2ban.server.filter[23574]: INFO    Set maxRetry = 5
2014-06-11 12:37:52,202 fail2ban.server.filter[23574]: INFO    Set jail log file encoding to UTF-8
2014-06-11 12:37:52,203 fail2ban.server.actions[23574]: INFO    Set banTime = 600
2014-06-11 12:37:52,208 fail2ban.server.filter[23574]: INFO    Set findtime = 600
2014-06-11 12:37:52,208 fail2ban.server.filter[23574]: INFO    Set maxlines = 10
2014-06-11 12:37:52,573 fail2ban.server.server[23574]: INFO    Jail sshd-ddos is not a JournalFilter instance
2014-06-11 12:37:52,592 fail2ban.server.jail[23574]: INFO    Creating new jail 'postfix-sasl'
2014-06-11 12:37:52,592 fail2ban.server.jail[23574]: INFO    Jail 'postfix-sasl' uses poller
2014-06-11 12:37:52,593 fail2ban.server.filter[23574]: INFO    Set jail log file encoding to UTF-8
2014-06-11 12:37:52,594 fail2ban.server.jail[23574]: INFO    Initiated 'polling' backend
2014-06-11 12:37:52,750 fail2ban.server.filter[23574]: INFO    Added logfile = /var/log/maillog
2014-06-11 12:37:52,751 fail2ban.server.filter[23574]: INFO    Set maxRetry = 5
2014-06-11 12:37:52,752 fail2ban.server.filter[23574]: INFO    Set jail log file encoding to UTF-8
2014-06-11 12:37:52,753 fail2ban.server.actions[23574]: INFO    Set banTime = 600
2014-06-11 12:37:52,757 fail2ban.server.filter[23574]: INFO    Set findtime = 600
2014-06-11 12:37:52,818 fail2ban.server.jail[23574]: INFO    Jail 'sshd-ddos' started
2014-06-11 12:37:52,848 fail2ban.server.jail[23574]: INFO    Jail 'postfix-sasl' started
 # service fail2ban status
fail2ban-server (pid  23574) is running...
Status
|- Number of jail:	2
`- Jail list:	postfix-sasl, sshd-ddos
 # iptables -nvL f2b-sasl
Chain f2b-sasl (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   556 REJECT     all  --  *      *       202.191.206.242      0.0.0.0/0           reject-with icmp-port-unreachable 
 1265  194K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

erster manueller Start

In RPM wird uns ein Startupscript mitgeliefert - über dieses starten wir unseren SMTP-Server.

 # service fail2ban start
 Starting fail2ban:                                         [  OK  ]

Im eigenen Logfile von fail2ban wird auch der Start entsprechend dokumentiert.

  # less /var/log/fail2ban.log
2014-06-14 00:12:19,028 fail2ban.server.server[11950]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
2014-06-14 00:12:19,029 fail2ban.server.database[11950]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2014-06-14 00:12:19,260 fail2ban.server.jail[11950]: INFO    Creating new jail 'dovecot'
2014-06-14 00:12:19,261 fail2ban.server.jail[11950]: INFO    Jail 'dovecot' uses poller
2014-06-14 00:12:19,291 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:19,292 fail2ban.server.jail[11950]: INFO    Initiated 'polling' backend
2014-06-14 00:12:19,612 fail2ban.server.filter[11950]: INFO    Added logfile = /var/log/maillog
2014-06-14 00:12:19,613 fail2ban.server.filter[11950]: INFO    Set maxRetry = 5
2014-06-14 00:12:19,616 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:19,616 fail2ban.server.actions[11950]: INFO    Set banTime = 600
2014-06-14 00:12:19,618 fail2ban.server.filter[11950]: INFO    Set findtime = 600
2014-06-14 00:12:19,643 fail2ban.server.server[11950]: INFO    Jail dovecot is not a JournalFilter instance
2014-06-14 00:12:19,657 fail2ban.server.jail[11950]: INFO    Creating new jail 'sshd-ddos'
2014-06-14 00:12:19,657 fail2ban.server.jail[11950]: INFO    Jail 'sshd-ddos' uses poller
2014-06-14 00:12:19,658 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:19,659 fail2ban.server.jail[11950]: INFO    Initiated 'polling' backend
2014-06-14 00:12:20,001 fail2ban.server.filter[11950]: INFO    Added logfile = /var/log/secure
2014-06-14 00:12:20,003 fail2ban.server.filter[11950]: INFO    Set maxRetry = 5
2014-06-14 00:12:20,004 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:20,005 fail2ban.server.actions[11950]: INFO    Set banTime = 600
2014-06-14 00:12:20,006 fail2ban.server.filter[11950]: INFO    Set findtime = 600
2014-06-14 00:12:20,007 fail2ban.server.filter[11950]: INFO    Set maxlines = 10
2014-06-14 00:12:20,221 fail2ban.server.server[11950]: INFO    Jail sshd-ddos is not a JournalFilter instance
2014-06-14 00:12:20,235 fail2ban.server.jail[11950]: INFO    Creating new jail 'sieve'
2014-06-14 00:12:20,235 fail2ban.server.jail[11950]: INFO    Jail 'sieve' uses poller
2014-06-14 00:12:20,237 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:20,237 fail2ban.server.jail[11950]: INFO    Initiated 'polling' backend
2014-06-14 00:12:20,485 fail2ban.server.filter[11950]: INFO    Added logfile = /var/log/maillog
2014-06-14 00:12:20,486 fail2ban.server.filter[11950]: INFO    Set maxRetry = 5
2014-06-14 00:12:20,487 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:20,488 fail2ban.server.actions[11950]: INFO    Set banTime = 600
2014-06-14 00:12:20,489 fail2ban.server.filter[11950]: INFO    Set findtime = 600
2014-06-14 00:12:20,507 fail2ban.server.jail[11950]: INFO    Creating new jail 'postfix-sasl'
2014-06-14 00:12:20,507 fail2ban.server.jail[11950]: INFO    Jail 'postfix-sasl' uses poller
2014-06-14 00:12:20,508 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:20,509 fail2ban.server.jail[11950]: INFO    Initiated 'polling' backend
2014-06-14 00:12:20,660 fail2ban.server.filter[11950]: INFO    Added logfile = /var/log/maillog
2014-06-14 00:12:20,661 fail2ban.server.filter[11950]: INFO    Set maxRetry = 5
2014-06-14 00:12:20,662 fail2ban.server.filter[11950]: INFO    Set jail log file encoding to UTF-8
2014-06-14 00:12:20,663 fail2ban.server.actions[11950]: INFO    Set banTime = 600
2014-06-14 00:12:20,664 fail2ban.server.filter[11950]: INFO    Set findtime = 600
2014-06-14 00:12:20,695 fail2ban.server.jail[11950]: INFO    Jail 'dovecot' started
2014-06-14 00:12:20,752 fail2ban.server.jail[11950]: INFO    Jail 'sshd-ddos' started
2014-06-14 00:12:20,775 fail2ban.server.jail[11950]: INFO    Jail 'sieve' started
2014-06-14 00:12:20,864 fail2ban.server.jail[11950]: INFO    Jail 'postfix-sasl' started

automatisches Starten des Dienste beim Systemstart

Damit nun unser SMTP-Mailserver beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

 # chkconfig fail2ban on

Anschließend überprüfen wir noch unsere Änderung:

 # chkconfig --list | grep fail2ban
 fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Wichtig Damit beim Starten des Daemon keine Warnmeldung, wie z.B.

Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''

ist bei allen aktivierten Filtern zu prüfen, ob dort ein

ignoreregex =

enthalten ist. Bei Bedarf, also einfach nachtragen!

Konfigurationsbeispiel


Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern.
Diesen Scriptkiddies wollen wir doch gleich mal mit Hilfe von fail2ban ein wenig auf die Sprünge helfen.

Als Praxisbeispiel werden wir nun die gerade angesprochenen Spielkindern eine besondere Behandlung angedeihen lassen.

  1. Log-Einträge
    Als erstes schauen wir uns mal an, wie diese abnormen Anfragen Negativ aufgefallen sind. Dazu werfen wir einen Blick in das betreffende Error-Logfile unseres Webservers.
     # less /var/log/httpd/kunde_1408/web_error.log> <code>[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/nyet.gif
    [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components
    [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/administrator
    [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components
    [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components
    [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components
    [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/cs-CZ
    [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/cs-CZ 

    Wir haben also in dem Logfile folgende drei Werte:
    - Datum
    - Verursacher Quell-Host-IP
    - File does not exist: /var/www/dokuwiki/

  2. failregex ermitteln
    Aus den wiederkehrenden Meldungen im Logfile können wir nun eine failregex ableiten, die wie folgt aussehen kann:
    '\[error\].\[client.<HOST>\].*File.does.not.exist'
  3. failregex testen
    Nachdem wir die failregex definiert haben, können wir diese schon mal testen.
     # fail2ban-regex "[Tue Jun 17 08:11:01 2014] [error] [client 195.191.24.12] File does not exist: /var/www/dokuwiki/components" '\[error\].\[client.<HOST>\].*File.does.not.exist:'
    Running tests
    =============
    
    Use   failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist:
    Use      single line : [Tue Jun 17 08:11:01 2014] [error] [client 195.191...
    
    
    Results
    =======
    
    Failregex: 1 total
    |-  #) [# of hits] regular expression
    |   1) [1] \[error\].\[client.<HOST>\].*File.does.not.exist:
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 1 lines, 0 ignored, 1 matched, 0 missed

    Nachdem der Test positiv ausfiel, können wir noch einen zweiten Test, gegen die Logdatei selbst vornehmen.

     # fail2ban-regex /var/log/httpd/kunde_1408/web_error.log '\[error\].\[client.<HOST>\].*File.does.not.exist:' 
    Running tests
    =============
    
    Use   failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist:
    Use         log file : /var/log/httpd/kunde_1408/web_error.log
    Use         encoding : UTF-8
    
    
    Results
    =======
    
    Failregex: 961 total
    |-  #) [# of hits] regular expression
    |   1) [961] \[error\].\[client.<HOST>\].*File.does.not.exist:
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [2043] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed
    Missed line(s): too many to print.  Use --print-all-missed to print all 1082 lines
  4. Filter definieren
    Als nächstes definieren wir uns unseren Filter.
     # vim /etc/fail2ban/filter.d/apache-dw-nofile.conf
    # Django : 2014-06-18
    # Fail2Ban Filter zum Ermitteln von Web-Anfragen auf viele unbekannte Dateien bei
    # unserem Apache Webserver.
    # 
    # Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos 
    # igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern. Diesen 
    # Scriptkiddies wollen wir mit Hilfe von **fail2ban** ein wenig auf die Sprünge 
    # helfen.
    
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    failregex = \[error\].\[client.<HOST>\].*File.does.not.exist:
    
    ignoreregex = \[error\].\[client.<HOST>\].*File.does.not.exist:.robots.txt
    
    # Author: Django <django@nausch.org>
  5. Filter testen
    Um sicherzustellen, dass der gerade angelegte Filter auch zuschlägt wiederholen wir den Test mit fail2ban-regex.
    # fail2ban-regex /var/log/httpd/kunde_1408/web_error.log /etc/fail2ban/filter.d/apache-dw-nofile.conf
    <code>Running tests
    =============
    
    Use   failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist:
    Use         log file : /var/log/httpd/kunde_1408/web_error.log
    Use         encoding : UTF-8
    
    
    Results
    =======
    
    Failregex: 961 total
    |-  #) [# of hits] regular expression
    |   1) [961] \[error\].\[client.<HOST>\].*File.does.not.exist:
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [2043] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-
    
    Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed
    Missed line(s): too many to print.  Use --print-all-missed to print all 1082 lines

    Auch dieser Test hat funktioniert, wir können also daran schon mal einen :OK: machen.

  6. Jail definieren
    Passend zu unserem Filter benötigen wir nun noch ein jail in dem wir dann festlegen, was passieren soll, wenn dieser Filter zugeschlagen hat.
     # vim /etc/fail2ban/jail.local
     ...
    
    [apache-dw-nofile]
    enabled = true
    port    = http,https
    action  = %(action_mwl)s
    logpath = /var/log/httpd/kunde_1408/web_error.log
    findtime  = 60
    maxretry = 3
    bantime  = 3600
    
    ...

    Mit dieser jail Definition haben wir festgelegt, dass die action action_mwl ausgeführt werden soll, wenn der filer apache-dw-nofile innerhalb von 1 Minute 3x anschlägt. In diesem Fall wird der Host für 1 Stunde ausgesperrt.

  7. Konfiguration testen
    Bevor wir den neuen Filter scharf schalten, testen wir noch kurz unsere Konfigurationsänderungen.
     # fail2ban-client -d
    ['set', 'logtarget', '/var/log/fail2ban.log']
    ['set', 'loglevel', 'INFO']
    ['set', 'dbpurgeage', 86400]
    ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
    ['add', 'apache-dw-nofile', 'auto']
    ['set', 'apache-dw-nofile', 'usedns', 'warn']
    ['set', 'apache-dw-nofile', 'addlogpath', '/var/log/httpd/kunde_1408/web_error.log', 'head']
    ['set', 'apache-dw-nofile', 'maxretry', 3]
    ['set', 'apache-dw-nofile', 'addignoreip', '127.0.0.1/8']
    ['set', 'apache-dw-nofile', 'logencoding', 'auto']
    ['set', 'apache-dw-nofile', 'bantime', 3600]
    ['set', 'apache-dw-nofile', 'ignorecommand', '']
    ['set', 'apache-dw-nofile', 'findtime', 60]
    ['set', 'apache-dw-nofile', 'addfailregex', '\\[error\\].\\[client.<HOST>\\].*File.does.not.exist:']
    ['set', 'apache-dw-nofile', 'addignoreregex', '\\[error\\].\\[client.<HOST>\\].*File.does.not.exist:.robots.txt']
    ['set', 'apache-dw-nofile', 'addaction', 'iptables-multiport']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>\n# Django : 2014-04-16\n# reporting only 4 badips.com\nwget -q -0 /dev/null www.badips.com/add/<name>/<ip>']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'protocol', 'tcp']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'name', 'apache-dw-nofile']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'chain', 'INPUT']
    ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'port', 'http,https']
    ['set', 'apache-dw-nofile', 'addaction', 'sendmail-whois-lines']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip>:\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep \'[^0-9]<ip>[^0-9]\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionunban', '']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actioncheck', '']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'name', 'apache-dw-nofile']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'dest', 'f2b-reports@nausch.org']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/httpd/kunde_1408/web_error.log']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
    ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
    ['start', 'apache-dw-nofile']

    Nun steht nichts mehr im Weg und wir können unsere Konfiguration aktivieren.

     # service fail2ban restart
    Stopping fail2ban:                                         [  OK  ]
    Starting fail2ban:                                         [  OK  ]

Schon nach kurzer Zeit werden wir nun nichtr mehr so belästigt, wie früher.

 # iptables -nvL
...

Chain f2b-apache-dw-nofile (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       31.186.170.148       0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       46.32.252.31         0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       91.206.200.218       0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       184.107.58.119       0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       37.58.149.98         0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       70.38.11.12          0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       91.185.212.8         0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       80.172.225.139       0.0.0.0/0           reject-with icmp-port-unreachable

blacklist.de

badips.com

Links

Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/fail2ban.txt
  • Zuletzt geändert: 20.04.2018 10:37.
  • (Externe Bearbeitung)