Difference between revisions of "Fail2Ban"

From Fail2ban
Jump to: navigation, search
m (Reverted edits by 81.177.14.26 (Talk); changed back to last version by Lostcontrol)
(Updated)
Line 5: Line 5:
 
   
 
   
 
  =============================================================
 
  =============================================================
  Fail2Ban (version 0.6.2)                          2006/12/11
+
  Fail2Ban (version 0.8.0)                          2007/05/03
 
  =============================================================
 
  =============================================================
 
   
 
   
Line 14: Line 14:
 
  or Apache web server ones.
 
  or Apache web server ones.
 
   
 
   
  This is my first Python program. Moreover, English is not my
+
  This README is a quick introduction to Fail2ban. More
  mother tongue...
+
documentation, FAQ, HOWTOs are available on the project
 +
  website: http://www.fail2ban.org
 
   
 
   
   
+
  Installation:
More details:
+
 
  -------------
 
  -------------
 
   
 
   
  Fail2Ban is rather simple. I have a home server connected to
+
  Required:
the Internet which runs apache, samba, sshd, and some other
+
    >=python-2.4 (http://www.python.org)
services. I saw in my logs that people are trying to log into
+
my box using brute force, either "manually" or with scripts.
+
They have tried 10, 20 and sometimes more user/password
+
combinations, without success. In order to discourage these
+
script kiddies, I wanted sshd to refuse login from a specific
+
IP address after 3 password failures. After some Google
+
searches, I found that sshd was not able of that, so I
+
searched for a script or program that does it. I found
+
nothing. :-( So I decided to write my own, and to learn
+
Python. :-)
+
 
   
 
   
  For each section defined in the configuration file, Fail2Ban
+
  Optional:
tries to find lines which match the failregex. Then it
+
    >=gamin-0.0.21 (http://www.gnome.org/~veillard/gamin)
retrieves the message time using timeregex and timepattern.
+
It finally gets the IP, and if that IP has already caused 3
+
or more password failures within the last banTime, it is
+
banned for banTime using a firewall rule. This rule is set
+
by the user in the configuration file; thus, Fail2Ban can be
+
adapted for many different firewalls. After banTime, the rule
+
is deleted. Notice that if no "plain" IP is available,
+
Fail2Ban tries to do a DNS lookup in order to find one or
+
several IP addresses to ban.
+
 
   
 
   
  Sections can be freely added to the configuration file, so it
+
  To install, just do:
is possible to monitor several daemons at the same time.
+
 
   
 
   
Fail2Ban runs on my server and does its job rather well :-)
+
  > tar xvfj fail2ban-0.8.0.tar.bz2
The idea is to make Fail2Ban usable with daemons and services
+
  > cd fail2ban-0.8.0
that require a login (sshd, telnetd, ...) and with different
+
firewalls.
+
+
Installation:
+
-------------
+
+
Requires: python-2.4 (http://www.python.org)
+
+
To install, just type:
+
+
  > tar xvfj fail2ban-0.6.2.tar.bz2
+
  > cd fail2ban-0.6.2
+
 
  > python setup.py install
 
  > python setup.py install
 
   
 
   
  This will install Fail2Ban into /usr/lib/fail2ban. The
+
  This will install Fail2Ban into /usr/share/fail2ban. The
  fail2ban executable is placed into /usr/bin.
+
  executable scripts are placed into /usr/bin.
 
   
 
   
  Gentoo: ebuilds are available on the website.
+
  It is possible that Fail2ban is already packaged for your
  Debian: Fail2Ban is in Debian unstable.
+
  distribution. In this case, you should use it.
RedHat: packages are available on the website.
+
 
   
 
   
  Fail2Ban should now be correctly installed. Just type:
+
  Fail2Ban should be correctly installed now. Just type:
 
   
 
   
  > fail2ban -h
+
  > fail2ban-client -h
 
   
 
   
  to see if everything is alright. You can configure fail2ban
+
  to see if everything is alright. You should always use
  with a config file. Different kind of configuration files are
+
  fail2ban-client and never call fail2ban-server directly.
available:
+
+
iptables:  copy config/fail2ban.conf.iptables to
+
            /etc/fail2ban.conf
+
hosts.deny: copy config/fail2ban.conf.hostsdeny to
+
            /etc/fail2ban.conf
+
shorewall:  copy config/fail2ban.conf.shorewall to
+
            /etc/fail2ban.conf
+
+
Do not forget to edit fail2ban.conf to meet your needs.
+
+
You can use the initd script available in config/. Copy
+
<dist>-initd to /etc/init.d/fail2ban. Gentoo users must copy
+
gentoo-confd to /etc/conf.d/fail2ban. You can start fail2ban:
+
+
> /etc/init.d/fail2ban start
+
+
Gentoo users can add it to the default runlevel:
+
+
> rc-update add fail2ban default
+
 
   
 
   
 
  Configuration:
 
  Configuration:
 
  --------------
 
  --------------
 
   
 
   
  You can configure fail2ban using the file /etc/fail2ban.conf
+
  You can configure Fail2ban using the files in /etc/fail2ban.
  or using command line options. Command line options override
+
  It is possible to configure the server using commands sent to
  the value stored in fail2ban.conf. Here are the command line
+
  it by fail2ban-client. The available commands are described
  options:
+
  in the man page of fail2ban-client. Please refer to it or to
+
  the website: http://www.fail2ban.org
  -b        start in background
+
  -c <FILE>  read configuration file FILE
+
  -p <FILE>  create PID lock in FILE
+
  -h        display this help message
+
  -i <IP(s)> IP(s) to ignore
+
  -k        kill a currently running instance
+
  -r <VALUE> allow a max of VALUE password failure [maxfailures]
+
  -t <TIME>  ban IP for TIME seconds [bantime]
+
  -f <TIME>  lifetime in seconds of failed entry [findtime]
+
  -v        verbose. Use twice for greater effect
+
  -V        print software version
+
+
Please note that a vulnerability (CVE-2006-6302) affects
+
  version < 0.6.2. Since 0.6.2, a named group "host" was added
+
to "failregex". This group must match the host address. Old
+
configuration files will still work but will generate a
+
warning. In this case, please update your configuration file.
+
 
   
 
   
 
  Contact:
 
  Contact:
Line 129: Line 59:
 
   
 
   
 
  You need some new features, you found bugs or you just
 
  You need some new features, you found bugs or you just
  appreciate this program, you can contact me at :
+
  appreciate this program, you can contact me at:
 
   
 
   
  Website: http://fail2ban.sourceforge.net
+
  Website: http://www.fail2ban.org
 
   
 
   
 
  Cyril Jaquier: <lostcontrol@users.sourceforge.net>
 
  Cyril Jaquier: <lostcontrol@users.sourceforge.net>
 
 
   
 
   
 
  Thanks:
 
  Thanks:
Line 142: Line 71:
 
  Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
 
  Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
 
  Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
 
  Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
  Edgington, Patrick Börjesson, kojiro, zugeschmiert
+
  Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
 +
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
 +
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
 +
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner
 
   
 
   
 
  License:
 
  License:

Revision as of 00:05, 4 May 2007

               __      _ _ ___ _               
              / _|__ _(_) |_  ) |__  __ _ _ _  
             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
             |_| \__,_|_|_/___|_.__/\__,_|_||_|

=============================================================
Fail2Ban (version 0.8.0)                           2007/05/03
=============================================================

Fail2Ban scans log files like /var/log/pwdfail and bans IP
that makes too many password failures. It updates firewall
rules to reject the IP address. These rules can be defined by
the user. Fail2Ban can read multiple log files such as sshd
or Apache web server ones.

This README is a quick introduction to Fail2ban. More
documentation, FAQ, HOWTOs are available on the project
website: http://www.fail2ban.org

Installation:
-------------

Required:
   >=python-2.4 (http://www.python.org)

Optional:
   >=gamin-0.0.21 (http://www.gnome.org/~veillard/gamin)

To install, just do:

> tar xvfj fail2ban-0.8.0.tar.bz2
> cd fail2ban-0.8.0
> python setup.py install

This will install Fail2Ban into /usr/share/fail2ban. The
executable scripts are placed into /usr/bin.

It is possible that Fail2ban is already packaged for your
distribution. In this case, you should use it.

Fail2Ban should be correctly installed now. Just type:

> fail2ban-client -h

to see if everything is alright. You should always use
fail2ban-client and never call fail2ban-server directly.

Configuration:
--------------

You can configure Fail2ban using the files in /etc/fail2ban.
It is possible to configure the server using commands sent to
it by fail2ban-client. The available commands are described
in the man page of fail2ban-client. Please refer to it or to
the website: http://www.fail2ban.org

Contact:
--------

You need some new features, you found bugs or you just
appreciate this program, you can contact me at:

Website: http://www.fail2ban.org

Cyril Jaquier: <lostcontrol@users.sourceforge.net>

Thanks:
-------

Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner

License:
--------

Fail2Ban is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later
version.

Fail2Ban is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public
License along with Fail2Ban; if not, write to the Free
Software Foundation, Inc., 59 Temple Place, Suite 330,
Boston, MA  02111-1307  USA