LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Fail2Ban or Similar build for slackware 14-Current (http://www.linuxquestions.org/questions/slackware-14/fail2ban-or-similar-build-for-slackware-14-current-4175467165/)

cooholio 06-24-2013 09:45 AM

Fail2Ban or Similar build for slackware 14-Current
 
Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.

Saw that it was available for Slackware 13.1 but dont know how good that will work with 14.

Dont need to be that program but looking for something similar to run that will automatically ban IP's that fails to authenticate after 3 times.

Have some nightly activity from different sources trying to brute force my password for root.

I have been manually added them to the iptables to block them but that is very time consuming and retroactive.

Any tips and links would be much appreciated.

/Joakim

JackHair 06-24-2013 10:44 AM

A little search got me this:
Code:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Or you can try Ossec. http://www.ossec.net/

Source:
http://serverfault.com/questions/419...o-many-hits-on
Guess you should read up here

TobiSGD 06-24-2013 12:05 PM

There exists a SlackBuild for fail2ban: http://slackbuilds.org/repository/14...work/fail2ban/
It compiles on Slackware -current, but I have not tested to run it.

By the way, there is no such thing as Slackware 14-current, you run either 14 or -current, but not both.

mancha 06-24-2013 03:48 PM

First of all, a pure iptables "solution" will operate at the packet level and will not be checking for "IP's that fails to
authenticate after 3 times." That occurs at the application layer and requires an application layer solution (see list at end).

What we can check for at the packet level is incoming new connections in rapid succession to port 22 from the same IP. We
can then assume this behavior represents an attack.

The ruleset shown in post #2 is one approach to solving this. It specifies a window of time (in the above example that is one
minute) in which connection attempt number five and above get dropped.

I argue this is inadequate because the IP gains access once again after enough time passes. In other words, in that example, if the
attacker waits one minute since his last blocked attempt, the effective hit count is 0 and the attacker gets 4 more attempts before
a new block. Rinse & repeat.

My ruleset below uses a two-tier framework to establish a permanent blacklist (until rules are flushed).

Code:

iptables -N BLACK
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m recent --name BLACK --rcheck -j DROP
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --name SSH --update --seconds 30 --hitcount 4 --rttl -j BLACK
iptables -A BLACK -m recent --set --name BLACK -j DROP

The logic is very simple: IPs that try to connect to port 22 four times in 30 seconds get blacklisted permanently (until rules are flushed).
As opposed to the example in post #2, this blocks attempt number four and above (not five and above). Do note I have two different
objects which share the name BLACK: 1) a blacklist of IPs, and 2) a user-defined chain. They're different.

Application level solutions generally rely on parsing log output. Some you can check out: fail2ban (already mentioned), blackssh,
and DenyHosts.

--mancha

allend 06-24-2013 07:26 PM

Quote:

Have some nightly activity from different sources trying to brute force my password for root.
I suggest you review your need to allow root access with only password protection. Slowing brute force attempts will not stop them. http://www.linuxquestions.org/questi...tempts-340366/

tuxrules 06-24-2013 10:15 PM

Quote:

Originally Posted by cooholio (Post 4977548)
Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.

I am the SBo maintainer of fail2ban. I've been running fail2ban on my personal server with -current for a while now and no issues to report. Fail2ban has had quite some changes recently and I would recommend you also look into the recidive jail in addition to other traditional jails.

recidive jail looks at previous fail2ban logs and blocks repeat offenders for longer time. Works quite nicely.

Z038 06-25-2013 12:18 AM

I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.

In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.

cooholio 06-25-2013 04:18 PM

Quote:

Originally Posted by Z038 (Post 4978009)
I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.

In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.

Is this something you would like to share with me ?

It would be higly appreciated. I tried to install the Fail2Ban from the slackbuilds.org and worked fine untill i rebooted the server and now i get error messages when trying to start it.

Below is the error message

/etc/rc.d/rc.fail2ban start
Starting fail2ban:
Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 426, in <module>
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 395, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 184, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 399, in __readConfig
self.__configurator.readAll()
File "/usr/share/fail2ban/client/configurator.py", line 62, in readAll
self.__jails.read()
File "/usr/share/fail2ban/client/jailsreader.py", line 49, in read
return ConfigReader.read(self, "jail")
File "/usr/share/fail2ban/client/configreader.py", line 70, in read
config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.7/ConfigParser.py", line 305, in read
self._read(fp, filename)
File "/usr/lib64/python2.7/ConfigParser.py", line 512, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'


Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.

Any help will be awesome.

/Joakim

ponce 06-25-2013 05:32 PM

Quote:

Originally Posted by cooholio (Post 4978553)
Code:

ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'


I don't use fail2ban, but reading the error seems like you are having a problem with a config file (maybe something happened when you edited it): maybe using the stock one ( /etc/fail2ban/jail.conf ) could help.

Z038 06-25-2013 07:53 PM

Quote:

Originally Posted by cooholio (Post 4978553)
Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.

It sounds as if you didn't do a standard SlackBuild install.

The standard method to install a SlackBuild package is to download the SlackBuild tar file to your build location (I set up a new folder for each package), and unarchive it. Then go into the subdirectory that tar creates, where the fail2ban.SlackBuild file is, and download or wget the program source tar file into that directory. chmod the SlackBuild script to make it executable, then "su -" so you get the proper interactive login paths and umask for root. Then execute the SlackBuild script as root. Once the package is built, use installpkg or upgradepkg --install-new to install it. You also do this as root.

Then for this particular package, you need to read the README.SBo and follow the instructions in there too.

Why don't you try re-installing as described, and see if you still get those errors.

cooholio 06-26-2013 11:15 AM

OK mad ethe package and all that good stuff.

used installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

Get this feedback from it :

installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
Cannot install --install-new: file not found
Verifying package fail2ban-0.8.9-noarch-1_SBo.tgz.
Installing package fail2ban-0.8.9-noarch-1_SBo.tgz:
PACKAGE DESCRIPTION:
# Fail2Ban (bans IP that makes too many password failures)
#
# Fail2Ban scans log files like /var/log/pwdfail and bans IP
# that makes too many password failures. It updates firewall
# rules to reject the IP address. These rules can be defined by
# the user. Fail2Ban can read multiple log files such as sshd,
# Apache web server, postfix and others.
#
# Home Page: http://www.fail2ban.org/wiki/index.php/Main_Page
#
Executing install script for fail2ban-0.8.9-noarch-1_SBo.tgz.
Package fail2ban-0.8.9-noarch-1_SBo.tgz installed.

I check to see if its there:

slackpkg search fail2ban

Looking for fail2ban in package list. Please wait... DONE

No package name matches the pattern.

root@ftp:/tmp# slackpkg search fail2ban*

Looking for fail2ban-0.8.9-noarch-1_SBo.tgz in package list. Please wait... DONE

No package name matches the pattern.

I then try the upgradepkg and get this.

upgradepkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

+==============================================================================
| Skipping package fail2ban-0.8.9-noarch-1_SBo (already installed)
+==============================================================================

I obviously are doing something wrong here but dont know what it is.

Again any help is higly appreciated.

/Joakim

cooholio 06-26-2013 11:25 AM

Update...

Its working but as soon as i try to enable the ssh-iptables it goes nuts.

I guess i will just try to set ssh-iptables = true and see what happens from there.

Wish i knew more about this but learning it all as i go.

I appreciate all the help and will give kudos on the help i have been given.

/Joakim

TSquaredF 06-26-2013 11:45 AM

Your problems start with a misreading of Z038s instructions in post #10. The commands
Code:

installpkg
&
Code:

upgradepkg --install-new
are identical if a package has NOT been installed. So, what
Code:

installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
was trying to do was install two packages, one named "--install-new", the other "fail2ban-0.8.9-noarch-1_SBo.tgz". It, obviously, failed to install the first; but did install the second. All good. Your problem with the pkgtool command is that it only works with Slackware packages, so not with SBo packages. Check the "search" definition in "man slackpkg". You do have fail2ban installed, as evidenced by the failure of upgradepkg. You can find it with
Code:

which fail2ban
Edit: Your last post came in while I was still writing.
Quote:

Its working but as soon as i try to enable the ssh-iptables it goes nuts.
is not very helpful as far as being able to determine what is wrong. If you really want help, give a much better description of what is happening, including error messages, etc.

Regards,
Bill

Z038 06-26-2013 06:24 PM

Quote:

Originally Posted by cooholio (Post 4979050)
Its working but as soon as i try to enable the ssh-iptables it goes nuts.

You shouldn't need to modify fail2ban.conf, but if you do, copy it as fail2ban.local and modify it instead of the original. Fail2ban treats everything in a "local" file as an override to the corresponding "conf" file.

Make a copy of jail.conf and call it jail.local. Set some reasonable defaults in the [DEFAULT] section, and add your own network onto the ignoreip statement if you want to exempt systems on your local network from being banned. This is entirely subjective, but I thought that the fail2ban defaults for bantime, findtime, and maxretry were too lenient, so I beefed them up. This is what I have for default settings:

Code:

ignoreip = 127.0.0.1/8 192.168.127.0/24
bantime  = 7200                    ;ban for 2 hours
findtime = 3600                    ;time window for maxretry 1 hour
maxretry = 5                        ;number failures to trigger ban
backend = auto
usedns = warn

Each of the sections that follow the [DEFAULT] section have an "enabled = false" statement that makes them inactive. For any jail you want to activate, change it to "enabled = true". Then change any other settings in each enabled section to meet your needs. I mainly changed bantime and/or findtime and/or maxretry, and also generally either changed or added an email notification.

By way of example, here is what I enabled and modified. The rest either didn't apply to me, or I didn't understand what it was for. :-)

Code:

[ssh-iptables]
enabled  = true
filter  = sshd
action  = iptables[name=SSH, port=ssh, protocol=tcp]
          sendmail-whois[name=SSH, dest=root@localhost, sender=fail2ban@localhost]
logpath  = /var/log/messages
bantime  = -1                      ;-1 means ban permanently
findtime = 10800                    ;time window for maxretry 3 hours
maxretry = 3                        ;number failures to trigger ban

[vsftpd-iptables]
enabled  = true
filter  = vsftpd
action  = iptables[name=VSFTPD, port=ftp, protocol=tcp]
          sendmail-whois[name=VSFTPD, dest=root@localhost]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 1800

[apache-badbots]
enabled  = true
filter  = apache-badbots
action  = iptables-multiport[name=BadBots, port="http,https"]
          sendmail-buffered[name=BadBots, lines=5, dest=root@localhost]
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1

[recidive]
enabled  = true
filter  = recidive
logpath  = /var/log/fail2ban.log
action  = iptables-allports[name=recidive]
          sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
#bantime  = 604800  ; 1 week
bantime  = 1209600  ; 2 weeks
findtime = 86400  ; 1 day
maxretry = 3

If you still have problems, please post the specific messages you get or explain more thoroughly what is going on.


All times are GMT -5. The time now is 07:26 PM.