Block IPs real time with fail2ban

What is fail2ban

Fail2ban is a very handy tool for blocking unwanted botnet scans. It scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures, and updates firewall rules in real-time to reject the IP address for a specified period of time.

http://www.fail2ban.org/wiki/index.php/Main_Page

Installation: requires python-devel and then install either from source, or from your distribution package.


Monitoring FTP logs

Configured IP blocking for pure-ftpd. Config file is /etc/fail2ban/jail.conf. /var/log/messages is monitored ftp login failures. You get 3 tries depending on the configuration you select.

To see who is blocked: see /var/log/fail2ban.log.

To see status:

fail2ban-client status pureftpd-iptables  or  iptables -L -n.  

Default block time in this scenario is for 30 minutes and then fail2ban will ‘unban’ the IP. This was recommended on various forums that suggest that botnets will move on after 10 minutes, so a permanent block list would not be needed.

jail.conf:

[pureftpd-iptables]
enabled  = true
filter   = pure-ftpd
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
sendmail-whois[name=pure-ftpd, dest=sysadmin@server.edu,  sender=fail2ban@server.edu]
logpath  = /var/log/messages
maxretry = 3

/etc/fail2ban/filter.d/pure-ftpd.conf: put regexps on separate lines. Must contain the HOST element to match an IP. (NOTE: you should surround the word HOST with “less than, greater than” . This blog tool has problems entering it exactly.)

failregex = pure-ftpd(?:\[\d+\])?: (.+?@HOST) \[WARNING\] %(__errmsg)s \[.+\]$
net2ftp.* HOST login_small admin 1
pure-ftpd:.* \[WARNING\] Too many connections (.*) from this IP: \[HOST\]

And /var/log/fail2ban.log reports an IP was blocked, then later unblocked.

Testing it out

You can also test the regular expressions with fail2ban-regex. Use either a line from a log or an entire log file and a template file to test:

fail2ban-regex 'Fri Jun 19 02:00:20 2009 [pid 28783] FTP command: Client "210.188.204.29", "USER Administrator"'     '\"\", \"USER Administrator\"'

fail2ban-regex '/var/log/messages' '/etc/fail2ban/filter.d/pure-ftpd.conf'

or test one line from your log against the config file:

fail2ban-regex 'Jan  1 16:22:13 servername pure-ftpd: (?@150.214.153.227) [WARNING] Authentication failed for \
user [Administrator]' '/etc/fail2ban/filter.d/pure-ftpd.conf'

Monitor and block ssh attempts:

Enable the ssh-iptables section of jail.conf:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=myaddress@server.edu, sender=fail2ban@server.edu]
logpath = /var/log/warn
maxretry = 3

To unban an address manually, specify the iptables chain being used:

sudo iptables -D fail2ban-vsftpd -s 192.168.xx.xx. -j DROP

Block an IP that is trying all sorts of php, apache URLs that don’t exist: apache-noscript.conf:

failregex = [[]client HOST[]] (File does not exist|script not found or unable to stat): /\S*
(\.php|\.asp|\.exe|\.pl|phpmyadmin|phpMyadmin)
[[]client HOST []] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$

( Don’t forget to surround HOST with less-than, greater-than signs, which couldn’t be typed here)

On restarting fail2ban:

Sometimes /etc/init.d/fail2ban restart does not successfully restart all monitors, if you are monitoring multiple logs. You may want to script this with more of a pause in between the start and stop.

Advertisements