• Installare fail2ban

sudo apt-get install fail2ban

• Di default crea già delle chain, in base ai pacchetti installati:

sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-pureftpd  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21 
fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

• Inserire i paramteri da cambiare in

sudoedit /etc/fail2ban/jail.local 

:r /etc/fail2ban/jail.conf

• In particolare:

# questi host non verranno mai bannati
ignoreip = 127.0.0.1 1.2.3.4 5.6.7.8 9.10.11.12/24
# tempo per cui il ban è attivo
bantime  = 300
# numero di tentativi dopo il quale il ban avviene
maxretry = 9

# destinatario e mittente delle notifiche
destemail = recipient@example.com
sendermail = fail2ban@example.com

# banna ed invia mail
action = %(action_mw)s

• Abilitare le sezioni interessate mettendo

enabled = true

• Ricaricare

sudo systemctl restart fail2ban reload

• Guardare i log:

sudo tail -f /var/log/fail2ban.log

• Se si vuole testare ad esempio un brute force su dovecot, usare lo script nmap:

cd /tmp
wget http://nmap.org/svn/scripts/imap-brute.nse
nmap -p 143,993 --script   imap-brute servername.example.com

• Se le notifiche email arrivano come fail2ban@myserver.example.priv, e si vuoel forzare un mittente, correggere:

sudoedit /etc/fail2ban/action.d/sendmail-common.conf

# Recipient mail address
#
dest = admin@example.com

# Sender mail address
#
sender = fail2ban@examle.com

• Se si vogliono bloccare anche i bot che non trovano files cercnado vulnerabilità, inserire

sudoedit /etc/fail2ban/filter.d/apache-404.conf

[Definition]
failregex = <HOST> .* 404 [0-9]+
#(?P<HOST>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+.$
ignoreregex = favicon\.ico

• Abilitarlo:

sudoedit /etc/fail2ban/jail.local

[apache-404]

enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache*/*access.log
bantime = 300
findtime = 600
maxretry = 9

• Testare la regola con

sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf

• Riavviare e testare

sudo invoke-rc.d fail2ban restart

• Se si vuol testare error.log:

#failregex = [[]client <HOST>[]] File does not exist: .*

• Per vedere quanti host sono bannati:

sudo fail2ban-client status apache-404

Status for the jail: apache-404
|- filter
|  |- File list:        /var/log/apache2/other_vhosts_access.log /var/log/apache2/access.log 
|  |- Currently failed: 130
|  `- Total failed:     412
`- action
   |- Currently banned: 11
   |  `- IP list:       64.27.50.50 69.160.56.137 87.104.210.109 91.121.220.8 91.236.74.125 46.4.55.227 192.95.1.132 87.98.143.72 84.112.211.204 82.20.121.210 82.40.171.5 
   `- Total banned:     15

• Monitorando il log di fail2ban stesso, è possibile estendere il ban ulteriormente
• Creazione filtro

sudoedit /etc/fail2ban/filter.d/fail2ban-ban.conf

failregex = Ban <HOST>
ignoreregex =

• Se si vuole l'escalation solo per determinati classi di ban, aggiungere il nome del filtro alla regex, ad esempio:

failregex = \[sendmail\] Ban <HOST>

• Abilitare la jail:

sudoedit /etc/fail2ban/jail.local 

[fail2ban-ban]
enabled = true
# block all tcp traffic
banaction = iptables-allports
# if you want to block all traffic, uncomment following line
# protocol = all
filter = fail2ban
logpath = /var/log/fail2ban.log
# If banned more than 5 times in an hour, ban again for two hours
maxretry = 5
findtime = 3600
bantime = 7200

• Considerare quanto segue:

<fab23> I am using FreeBSD IPFW as firewall, and on default with the fail2ban setup it blocks the IP on all ports
<fab23> but after I had been locked out with ssh from a shared network where one of my users misstyped his mail password several times, I switch to only block ports, so I still can ssh to my systems :)
<GabrieleV> fab23, You are absolutely right ! I have to consider this ... anyway, I can access my virtual machine control panel out of band. But it's a clever consideration: block only services for what are you monitoring !

• Testare la regola:

sudo fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/fail2ban-ban.conf

• Riavviare:

sudo invoke-rc.d fail2ban restart

• Per debian Squeeze, aggiungre la regex seguente, altrimenti non verranno identificati i fail:

sudoedit /etc/fail2ban/filter.d/sasl.conf

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
            (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*$

• Fail2ban - Guide@Debianizzati.Org
• Automated Banning of Script Kiddies with fail2ban | Barbary Codes and Data
• Monitoring the fail2ban log < System | The Art of Web
• Fail2ban monitoring Fail2ban - Whyscream