Fail2Ban or Similar build for slackware 14-Current
Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.
Saw that it was available for Slackware 13.1 but dont know how good that will work with 14.
Dont need to be that program but looking for something similar to run that will automatically ban IP's that fails to authenticate after 3 times.
Have some nightly activity from different sources trying to brute force my password for root.
I have been manually added them to the iptables to block them but that is very time consuming and retroactive.
Any tips and links would be much appreciated.
A little search got me this:
Guess you should read up here
There exists a SlackBuild for fail2ban: http://slackbuilds.org/repository/14...work/fail2ban/
It compiles on Slackware -current, but I have not tested to run it.
By the way, there is no such thing as Slackware 14-current, you run either 14 or -current, but not both.
First of all, a pure iptables "solution" will operate at the packet level and will not be checking for "IP's that fails to
authenticate after 3 times." That occurs at the application layer and requires an application layer solution (see list at end).
What we can check for at the packet level is incoming new connections in rapid succession to port 22 from the same IP. We
can then assume this behavior represents an attack.
The ruleset shown in post #2 is one approach to solving this. It specifies a window of time (in the above example that is one
minute) in which connection attempt number five and above get dropped.
I argue this is inadequate because the IP gains access once again after enough time passes. In other words, in that example, if the
attacker waits one minute since his last blocked attempt, the effective hit count is 0 and the attacker gets 4 more attempts before
a new block. Rinse & repeat.
My ruleset below uses a two-tier framework to establish a permanent blacklist (until rules are flushed).
As opposed to the example in post #2, this blocks attempt number four and above (not five and above). Do note I have two different
objects which share the name BLACK: 1) a blacklist of IPs, and 2) a user-defined chain. They're different.
Application level solutions generally rely on parsing log output. Some you can check out: fail2ban (already mentioned), blackssh,
recidive jail looks at previous fail2ban logs and blocks repeat offenders for longer time. Works quite nicely.
I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.
In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.
It would be higly appreciated. I tried to install the Fail2Ban from the slackbuilds.org and worked fine untill i rebooted the server and now i get error messages when trying to start it.
Below is the error message
Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 426, in <module>
File "/usr/bin/fail2ban-client", line 395, in start
File "/usr/bin/fail2ban-client", line 184, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 399, in __readConfig
File "/usr/share/fail2ban/client/configurator.py", line 62, in readAll
File "/usr/share/fail2ban/client/jailsreader.py", line 49, in read
return ConfigReader.read(self, "jail")
File "/usr/share/fail2ban/client/configreader.py", line 70, in read
config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
File "/usr/lib64/python2.7/ConfigParser.py", line 305, in read
File "/usr/lib64/python2.7/ConfigParser.py", line 512, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'
Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.
Any help will be awesome.
The standard method to install a SlackBuild package is to download the SlackBuild tar file to your build location (I set up a new folder for each package), and unarchive it. Then go into the subdirectory that tar creates, where the fail2ban.SlackBuild file is, and download or wget the program source tar file into that directory. chmod the SlackBuild script to make it executable, then "su -" so you get the proper interactive login paths and umask for root. Then execute the SlackBuild script as root. Once the package is built, use installpkg or upgradepkg --install-new to install it. You also do this as root.
Then for this particular package, you need to read the README.SBo and follow the instructions in there too.
Why don't you try re-installing as described, and see if you still get those errors.
OK mad ethe package and all that good stuff.
used installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
Get this feedback from it :
installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
Cannot install --install-new: file not found
Verifying package fail2ban-0.8.9-noarch-1_SBo.tgz.
Installing package fail2ban-0.8.9-noarch-1_SBo.tgz:
# Fail2Ban (bans IP that makes too many password failures)
# Fail2Ban scans log files like /var/log/pwdfail and bans IP
# that makes too many password failures. It updates firewall
# rules to reject the IP address. These rules can be defined by
# the user. Fail2Ban can read multiple log files such as sshd,
# Apache web server, postfix and others.
# Home Page: http://www.fail2ban.org/wiki/index.php/Main_Page
Executing install script for fail2ban-0.8.9-noarch-1_SBo.tgz.
Package fail2ban-0.8.9-noarch-1_SBo.tgz installed.
I check to see if its there:
slackpkg search fail2ban
Looking for fail2ban in package list. Please wait... DONE
No package name matches the pattern.
root@ftp:/tmp# slackpkg search fail2ban*
Looking for fail2ban-0.8.9-noarch-1_SBo.tgz in package list. Please wait... DONE
No package name matches the pattern.
I then try the upgradepkg and get this.
upgradepkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
| Skipping package fail2ban-0.8.9-noarch-1_SBo (already installed)
I obviously are doing something wrong here but dont know what it is.
Again any help is higly appreciated.
Its working but as soon as i try to enable the ssh-iptables it goes nuts.
I guess i will just try to set ssh-iptables = true and see what happens from there.
Wish i knew more about this but learning it all as i go.
I appreciate all the help and will give kudos on the help i have been given.
Your problems start with a misreading of Z038s instructions in post #10. The commands
Make a copy of jail.conf and call it jail.local. Set some reasonable defaults in the [DEFAULT] section, and add your own network onto the ignoreip statement if you want to exempt systems on your local network from being banned. This is entirely subjective, but I thought that the fail2ban defaults for bantime, findtime, and maxretry were too lenient, so I beefed them up. This is what I have for default settings:
By way of example, here is what I enabled and modified. The rest either didn't apply to me, or I didn't understand what it was for. :-)
|All times are GMT -5. The time now is 01:28 PM.|