Fail2Ban

From Fail2ban
Revision as of 10:47, 11 May 2006 by Lostcontrol (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
               __      _ _ ___ _
              / _|__ _(_) |_  ) |__  __ _ _ _
             |  _/ _` | | |/ /| '_ \/ _` | ' \
             |_| \__,_|_|_/___|_.__/\__,_|_||_|

=============================================================
Fail2Ban (version 0.6.1)                           2006/03/16
=============================================================

Fail2Ban scans log files like /var/log/pwdfail and bans IP
that makes too many password failures. It updates firewall
rules to reject the IP address. These rules can be defined by
the user. Fail2Ban can read multiple log files such as sshd
or Apache web server ones.

This is my first Python program. Moreover, English is not my
mother tongue...


More details:
-------------

Fail2Ban is rather simple. I have a home server connected to
the Internet which runs apache, samba, sshd, ... I see in my
logs that people are trying to log into my box using "manual"
brute force or scripts. They try 10, 20 and sometimes more
user/password (without success anyway). In order to
discourage these script kiddies, I wanted that sshd refuse
login from a specific ip after 3 password failures. After
some Google searches, I found that sshd was not able of that.
So I search for a script or program that do it. I found
nothing :-( So I decide to write mine and to learn Python :-)

For each sections defined in the configuration file, Fail2Ban
tries to find lines which match the failregex. Then it
retrieves the message time using timeregex and timepattern.
It finally gets the ip and if it has already done 3 or more
password failures in the last banTime, the ip is banned for
banTime using a firewall rule. This rule is set by the user
in the configuration file. Thus, Fail2Ban can be adapted for
lots of firewall. After banTime, the rule is deleted. Notice
that if no "plain" ip is available, Fail2Ban try to do DNS
lookup in order to found one or several ip's to ban.

Sections can be freely added so it is possible to monitor
several daemons at the same time.

Runs on my server and does its job rather well :-) The idea
is to make fail2ban usable with daemons and services that
require a login (sshd, telnetd, ...) and with different
firewalls.


Installation:
-------------

Require: python-2.4 (http://www.python.org)

To install, just do:

> tar xvfj fail2ban-0.6.1.tar.bz2
> cd fail2ban-0.6.1
> python setup.py install

This will install Fail2Ban into /usr/lib/fail2ban. The
fail2ban executable is placed into /usr/bin.

Gentoo: ebuilds are available on the website.
Debian: Fail2Ban is in Debian unstable.
RedHat: packages are available on the website.

Fail2Ban should now be correctly installed. Just type:

> fail2ban -h

to see if everything is alright. You can configure fail2ban
with a config file. Different kind of configuration files are
available:

iptables:   copy config/fail2ban.conf.iptables to
            /etc/fail2ban.conf
hosts.deny: copy config/fail2ban.conf.hostsdeny to
            /etc/fail2ban.conf
shorewall:  copy config/fail2ban.conf.shorewall to
            /etc/fail2ban.conf

Do not forget to edit fail2ban.conf to meet your needs.

You can use the initd script available in config/. Copy
<dist>-initd to /etc/init.d/fail2ban. Gentoo users must copy
gentoo-confd to /etc/conf.d/fail2ban. You can start fail2ban:

> /etc/init.d/fail2ban start

Gentoo users can add it to the default runlevel:

> rc-update add fail2ban default

Configuration:
--------------

You can configure fail2ban using the file /etc/fail2ban.conf
or using command line options. Command line options override
the value stored in fail2ban.conf. Here are the command line
options:

  -b         start in background
  -c <FILE>  read configuration file FILE
  -p <FILE>  create PID lock in FILE
  -h         display this help message
  -i <IP(s)> IP(s) to ignore
  -k         kill a currently running instance
  -r <VALUE> allow a max of VALUE password failure [maxfailures]
  -t