fail2ban

"https://github.com/fail2ban/fail2ban/archive/0.9.3.tar.gz"
"tar -xzf 0.9.3.tar.gz"
"cd fail2ban-0.9.3"
"python setup.py install"
"cd /etc/fail2ban/"
"vi jail.conf" ->

"mkdir -p /var/run/fail2ban/"
"fail2ban-client start" oder "fail2ban-server" starten (-f = Starte den Server im Vordergrund) 
"fail2ban-client status"
	Status
	|- Number of jail:      0
	`- Jail list:
	
#Jails aktivieren. Minimal Konfig
"vi /etc/fail2ban/jail.conf" ->
	[sshd]
	port    = ssh
	logpath = /var/log/messages
	enabled = true

#Konfig anpassen
"vi /etc/fail2ban/fail2ban.conf" ->
	loglevel = INFO
	
"fail2ban-client reload"
"fail2ban-client status"
	Status
	|- Number of jail:      1
	`- Jail list:   sshd
"iptables -L -v -n"

#Wenn IP gebannt
"fail2ban-client status sshd"
	Status for the jail: sshd
	|- Filter
	|  |- Currently failed: 1
	|  |- Total failed:     6
	|  `- File list:        /var/log/messages
	`- Actions
	   |- Currently banned: 1
	   |- Total banned:     1
	   `- Banned IP list:   172.17.190.36

	 
######################################
#Custom Regel
#Patten in /var/log/messages
" logger "from 172.17.190.38 acces to my custom server. denied by root" "
"cat /var/log/messages" ->
	"2016-06-17T11:35:38.607629+02:00 test3 root: from 172.17.190.38 acces to my custom server. denied by root"

#RegExp. Pattern Testen
"fail2ban-regex '2016-06-17T11:35:38.607629+02:00 test3 root: from 172.17.190.38 acces to my custom server. denied by root' '<HOST> acces to my custom server. denied by root' "

"cp -frv /etc/fail2ban/filter.d/sshd.conf /etc/fail2ban/filter.d/custom.conf"

"vi /etc/fail2ban/filter.d/custom.conf" ->
	[INCLUDES]
	before = common.conf
	[Definition]
	_daemon = custom
	failregex = <HOST> acces to my custom server. denied by root
	ignoreregex = 
	[Init]
	maxlines = 10
	
"fail2ban-regex -v /var/log/messages /etc/fail2ban/filter.d/custom.conf"

"vi /etc/fail2ban/jail.conf" ->
	[custom]
	port    = 4711
	logpath = /var/log/messages
	enabled = true
	#maxretry = 1
	bantime  = 120

"fail2ban-client reload"
"fail2ban-clientStatus
	|- Number of jail:      2
	`- Jail list:   custom, sshd
"iptables -L -v -n"

#Produktiv test
"vi /etc/rsyslog.conf" ->
	#$RepeatedMsgReduction   on			#Deaktivieren da sonst nur eine Meldung angezeigt wird und fail2ban nicht zuschlagen kann. Es müssen nämlcih mind. 5 Meldungen hintereinander kommen um zun bannen by default . Oder "maxretry = 1 in der jail.conf"
"systemctl restart rsyslog.service"
"logger "from 172.17.190.172 acces to my custom server. denied by root" " 5x schnell hintereinander ausführen.
"tail -f /var/log/fail2ban.log"
	2016-06-17 14:52:09,375 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:10,459 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:10,460 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:10,461 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:11,536 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:11,537 fail2ban.filter         [97777]: INFO    [custom] Found 172.17.190.172
	2016-06-17 14:52:12,561 fail2ban.actions        [97777]: NOTICE  [custom] Ban 172.17.190.172

##################################
#Commands
"fail2ban-client set custom banip 172.17.190.36" = ban manual
"fail2ban-client set custom unbanip 172.17.190.36" = unban manual

####################################
#TODO
#fail2ban mit ipset
#fail2ban mit /var/log/firewall
#fail2ban mit Apache
#fail2ban mit Snort
#fail2ban IPtables Regeln auf DROP
#fail2ban rrdtool visualiseren


####################################
#Info
Log DB liegt unter "cd /var/lib/fail2ban/fail2ban.sqlite"
Anschauen mittels "lynx http://sqlitebrowser.org/"

Post Revisions: