LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-24-2013, 09:45 AM   #1
cooholio
LQ Newbie
 
Registered: Nov 2011
Location: Wabash, IN
Distribution: Slackware Current
Posts: 22

Rep: Reputation: Disabled
Fail2Ban or Similar build for slackware 14-Current


Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.

Saw that it was available for Slackware 13.1 but dont know how good that will work with 14.

Dont need to be that program but looking for something similar to run that will automatically ban IP's that fails to authenticate after 3 times.

Have some nightly activity from different sources trying to brute force my password for root.

I have been manually added them to the iptables to block them but that is very time consuming and retroactive.

Any tips and links would be much appreciated.

/Joakim
 
Old 06-24-2013, 10:44 AM   #2
JackHair
Member
 
Registered: Aug 2009
Location: Netherlands
Distribution: OpenSuse 13.1
Posts: 80

Rep: Reputation: 16
A little search got me this:
Code:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Or you can try Ossec. http://www.ossec.net/

Source:
http://serverfault.com/questions/419...o-many-hits-on
Guess you should read up here
 
Old 06-24-2013, 12:05 PM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,619
Blog Entries: 2

Rep: Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076
There exists a SlackBuild for fail2ban: http://slackbuilds.org/repository/14...work/fail2ban/
It compiles on Slackware -current, but I have not tested to run it.

By the way, there is no such thing as Slackware 14-current, you run either 14 or -current, but not both.
 
1 members found this post helpful.
Old 06-24-2013, 03:48 PM   #4
mancha
Member
 
Registered: Aug 2012
Posts: 357

Rep: Reputation: Disabled
First of all, a pure iptables "solution" will operate at the packet level and will not be checking for "IP's that fails to
authenticate after 3 times." That occurs at the application layer and requires an application layer solution (see list at end).

What we can check for at the packet level is incoming new connections in rapid succession to port 22 from the same IP. We
can then assume this behavior represents an attack.

The ruleset shown in post #2 is one approach to solving this. It specifies a window of time (in the above example that is one
minute) in which connection attempt number five and above get dropped.

I argue this is inadequate because the IP gains access once again after enough time passes. In other words, in that example, if the
attacker waits one minute since his last blocked attempt, the effective hit count is 0 and the attacker gets 4 more attempts before
a new block. Rinse & repeat.

My ruleset below uses a two-tier framework to establish a permanent blacklist (until rules are flushed).

Code:
iptables -N BLACK
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m recent --name BLACK --rcheck -j DROP
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --name SSH --update --seconds 30 --hitcount 4 --rttl -j BLACK
iptables -A BLACK -m recent --set --name BLACK -j DROP
The logic is very simple: IPs that try to connect to port 22 four times in 30 seconds get blacklisted permanently (until rules are flushed).
As opposed to the example in post #2, this blocks attempt number four and above (not five and above). Do note I have two different
objects which share the name BLACK: 1) a blacklist of IPs, and 2) a user-defined chain. They're different.

Application level solutions generally rely on parsing log output. Some you can check out: fail2ban (already mentioned), blackssh,
and DenyHosts.

--mancha
 
3 members found this post helpful.
Old 06-24-2013, 07:26 PM   #5
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,486

Rep: Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856
Quote:
Have some nightly activity from different sources trying to brute force my password for root.
I suggest you review your need to allow root access with only password protection. Slowing brute force attempts will not stop them. http://www.linuxquestions.org/questi...tempts-340366/
 
Old 06-24-2013, 10:15 PM   #6
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 14.1
Posts: 1,141

Rep: Reputation: 55
Quote:
Originally Posted by cooholio View Post
Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.
I am the SBo maintainer of fail2ban. I've been running fail2ban on my personal server with -current for a while now and no issues to report. Fail2ban has had quite some changes recently and I would recommend you also look into the recidive jail in addition to other traditional jails.

recidive jail looks at previous fail2ban logs and blocks repeat offenders for longer time. Works quite nicely.

Last edited by tuxrules; 06-24-2013 at 10:17 PM.
 
1 members found this post helpful.
Old 06-25-2013, 12:18 AM   #7
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Rep: Reputation: 157Reputation: 157
I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.

In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.

Last edited by Z038; 06-25-2013 at 12:22 AM.
 
Old 06-25-2013, 04:18 PM   #8
cooholio
LQ Newbie
 
Registered: Nov 2011
Location: Wabash, IN
Distribution: Slackware Current
Posts: 22

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Z038 View Post
I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.

In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.
Is this something you would like to share with me ?

It would be higly appreciated. I tried to install the Fail2Ban from the slackbuilds.org and worked fine untill i rebooted the server and now i get error messages when trying to start it.

Below is the error message

/etc/rc.d/rc.fail2ban start
Starting fail2ban:
Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 426, in <module>
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 395, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 184, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 399, in __readConfig
self.__configurator.readAll()
File "/usr/share/fail2ban/client/configurator.py", line 62, in readAll
self.__jails.read()
File "/usr/share/fail2ban/client/jailsreader.py", line 49, in read
return ConfigReader.read(self, "jail")
File "/usr/share/fail2ban/client/configreader.py", line 70, in read
config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.7/ConfigParser.py", line 305, in read
self._read(fp, filename)
File "/usr/lib64/python2.7/ConfigParser.py", line 512, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'


Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.

Any help will be awesome.

/Joakim
 
Old 06-25-2013, 05:32 PM   #9
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,484

Rep: Reputation: 906Reputation: 906Reputation: 906Reputation: 906Reputation: 906Reputation: 906Reputation: 906Reputation: 906
Quote:
Originally Posted by cooholio View Post
Code:
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'
I don't use fail2ban, but reading the error seems like you are having a problem with a config file (maybe something happened when you edited it): maybe using the stock one ( /etc/fail2ban/jail.conf ) could help.
 
Old 06-25-2013, 07:53 PM   #10
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by cooholio View Post
Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.
It sounds as if you didn't do a standard SlackBuild install.

The standard method to install a SlackBuild package is to download the SlackBuild tar file to your build location (I set up a new folder for each package), and unarchive it. Then go into the subdirectory that tar creates, where the fail2ban.SlackBuild file is, and download or wget the program source tar file into that directory. chmod the SlackBuild script to make it executable, then "su -" so you get the proper interactive login paths and umask for root. Then execute the SlackBuild script as root. Once the package is built, use installpkg or upgradepkg --install-new to install it. You also do this as root.

Then for this particular package, you need to read the README.SBo and follow the instructions in there too.

Why don't you try re-installing as described, and see if you still get those errors.
 
1 members found this post helpful.
Old 06-26-2013, 11:15 AM   #11
cooholio
LQ Newbie
 
Registered: Nov 2011
Location: Wabash, IN
Distribution: Slackware Current
Posts: 22

Original Poster
Rep: Reputation: Disabled
OK mad ethe package and all that good stuff.

used installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

Get this feedback from it :

installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
Cannot install --install-new: file not found
Verifying package fail2ban-0.8.9-noarch-1_SBo.tgz.
Installing package fail2ban-0.8.9-noarch-1_SBo.tgz:
PACKAGE DESCRIPTION:
# Fail2Ban (bans IP that makes too many password failures)
#
# Fail2Ban scans log files like /var/log/pwdfail and bans IP
# that makes too many password failures. It updates firewall
# rules to reject the IP address. These rules can be defined by
# the user. Fail2Ban can read multiple log files such as sshd,
# Apache web server, postfix and others.
#
# Home Page: http://www.fail2ban.org/wiki/index.php/Main_Page
#
Executing install script for fail2ban-0.8.9-noarch-1_SBo.tgz.
Package fail2ban-0.8.9-noarch-1_SBo.tgz installed.

I check to see if its there:

slackpkg search fail2ban

Looking for fail2ban in package list. Please wait... DONE

No package name matches the pattern.

root@ftp:/tmp# slackpkg search fail2ban*

Looking for fail2ban-0.8.9-noarch-1_SBo.tgz in package list. Please wait... DONE

No package name matches the pattern.

I then try the upgradepkg and get this.

upgradepkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

+==============================================================================
| Skipping package fail2ban-0.8.9-noarch-1_SBo (already installed)
+==============================================================================

I obviously are doing something wrong here but dont know what it is.

Again any help is higly appreciated.

/Joakim
 
Old 06-26-2013, 11:25 AM   #12
cooholio
LQ Newbie
 
Registered: Nov 2011
Location: Wabash, IN
Distribution: Slackware Current
Posts: 22

Original Poster
Rep: Reputation: Disabled
Update...

Its working but as soon as i try to enable the ssh-iptables it goes nuts.

I guess i will just try to set ssh-iptables = true and see what happens from there.

Wish i knew more about this but learning it all as i go.

I appreciate all the help and will give kudos on the help i have been given.

/Joakim
 
Old 06-26-2013, 11:45 AM   #13
TSquaredF
Member
 
Registered: Dec 2005
Location: "The South Coast of Texas"
Distribution: Slackware64-current
Posts: 490
Blog Entries: 1

Rep: Reputation: 55
Your problems start with a misreading of Z038s instructions in post #10. The commands
Code:
installpkg
&
Code:
upgradepkg --install-new
are identical if a package has NOT been installed. So, what
Code:
installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
was trying to do was install two packages, one named "--install-new", the other "fail2ban-0.8.9-noarch-1_SBo.tgz". It, obviously, failed to install the first; but did install the second. All good. Your problem with the pkgtool command is that it only works with Slackware packages, so not with SBo packages. Check the "search" definition in "man slackpkg". You do have fail2ban installed, as evidenced by the failure of upgradepkg. You can find it with
Code:
which fail2ban
Edit: Your last post came in while I was still writing.
Quote:
Its working but as soon as i try to enable the ssh-iptables it goes nuts.
is not very helpful as far as being able to determine what is wrong. If you really want help, give a much better description of what is happening, including error messages, etc.

Regards,
Bill

Last edited by TSquaredF; 06-26-2013 at 11:50 AM.
 
Old 06-26-2013, 06:24 PM   #14
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by cooholio View Post
Its working but as soon as i try to enable the ssh-iptables it goes nuts.
You shouldn't need to modify fail2ban.conf, but if you do, copy it as fail2ban.local and modify it instead of the original. Fail2ban treats everything in a "local" file as an override to the corresponding "conf" file.

Make a copy of jail.conf and call it jail.local. Set some reasonable defaults in the [DEFAULT] section, and add your own network onto the ignoreip statement if you want to exempt systems on your local network from being banned. This is entirely subjective, but I thought that the fail2ban defaults for bantime, findtime, and maxretry were too lenient, so I beefed them up. This is what I have for default settings:

Code:
ignoreip = 127.0.0.1/8 192.168.127.0/24
bantime  = 7200                     ;ban for 2 hours
findtime = 3600                     ;time window for maxretry 1 hour 
maxretry = 5                        ;number failures to trigger ban
backend = auto
usedns = warn
Each of the sections that follow the [DEFAULT] section have an "enabled = false" statement that makes them inactive. For any jail you want to activate, change it to "enabled = true". Then change any other settings in each enabled section to meet your needs. I mainly changed bantime and/or findtime and/or maxretry, and also generally either changed or added an email notification.

By way of example, here is what I enabled and modified. The rest either didn't apply to me, or I didn't understand what it was for. :-)

Code:
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root@localhost, sender=fail2ban@localhost]
logpath  = /var/log/messages
bantime  = -1                       ;-1 means ban permanently
findtime = 10800                    ;time window for maxretry 3 hours
maxretry = 3                        ;number failures to trigger ban

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=root@localhost]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 1800

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=root@localhost]
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1

[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
#bantime  = 604800  ; 1 week
bantime  = 1209600  ; 2 weeks
findtime = 86400   ; 1 day
maxretry = 3
If you still have problems, please post the specific messages you get or explain more thoroughly what is going on.

Last edited by Z038; 06-26-2013 at 06:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] GRUB2 build errors running slackware64-current (slackware 14) squid890 Slackware 10 07-03-2013 12:23 AM
[BUG] fglrx doesnt build package anymore on slackware-current x64 anti_user Slackware 5 04-11-2013 10:37 PM
[SOLVED] Script to build always a current ISO image of Slackware (slackware-current) robertjinx Slackware 2 12-09-2010 03:00 AM
Fail2Ban not working properly with Slackware Biggen Linux - Security 1 06-19-2009 12:59 PM
Build Chrome on Slackware-current fail--No package 'nss' found grissiom Slackware 12 09-06-2008 05:43 AM


All times are GMT -5. The time now is 03:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration