fail2ban and persistence
Posted 02-19-2014 at 05:04 PM by Habitual
Updated 03-19-2014 at 10:53 AM by Habitual (rewrite for clarity and ease-of-use)
Updated 03-19-2014 at 10:53 AM by Habitual (rewrite for clarity and ease-of-use)
Wed Feb 19, 2014 - 6:03:59 PM EST
I recently went toe-to-toe with Fail2ban version: 0.8.6-3 on an Ubuntu host.
Task: Stop intrusions into our host for w00tw00t and other stuff.
Preface: Create a copy of /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and make all your desired changes in /etc/fail2ban/jail.local
Create and edit an /etc/fail2ban/filter.d/w00tw00t.conf file with this content:
"docroot" is the site's DocumentRoot that we wish to protect.
"badamin" are the strings of the attack vectors that we wish to scan the log(s) for.
"failregex" is the Regular Expression mechanism used to search the log(s).
"ignoreregex" would be a Regular Expression mechanism to exclude patterns from the search of the log(s).
You should test this using
where the best indicator that our failregex is correct would be:
Any errors will be made apparent when you run fail2ban-regex if the failregex is incorrect.
You can even run it against old(er) logs to get a general feel for historical hits against the server using
Now, let's prepare some files to save our suspect IPs in:
our /etc/fail2ban/jail.local has this w00tw00t stanza:
/etc/fail2ban/filter.d/w00tw00t.conf is our "filter = " filtering directive in the above stanza and we have already discussed and tested it.
/etc/fail2ban/action.d/w00tw00t.conf is our "action =" action directive and has this content:
at this point, I would save any iptables to a file manually, and I usually use /root/safe.rules, so let's issue a
and do that now, because when we reload the fail2ban our existing stuff goes bye-bye the first time.
So let's check it using
and you should see this output:
I install chkconfig on our server because it is easy to use.
I force fail2ban on runlevels [234] by issuing
for runlevels [234] (should do this auto-magically for these levels)
I had to populate /etc/fail2ban/blacklists/bad.w00tw00t manually using some grep'ing on the logs, or you could just collect IPs using
and load them up into your iptables rules after you issue
(this should 'start' the fail2ban-w00tw00t "jail" we just set in /etc/fail2ban/jail.local)
I used
Then issue an
It takes some maneuvering to get it just right, but it completely worth it
References:
http://zach.seifts.us/posts/2013/07/...ans-persistent
http://www.foosel.org/blog/2008/04/b...using_fail2ban
http://linuxaria.com/howto/fail2ban-...ttacks?lang=en
http://www.tecmint.com/install-fail2...centos-fedora/
http://www.looke.ch/wp/list-based-pe...-with-fail2ban
and your favorite search engine.
Enjoy the Goodness!
I had to re-do this also for fail2ban 0.8.12
and apparently, I can skip the
and use
for permanence. I wouldn't need iptables-restore /root/safe.rules in /etc/rc.local.
Less coding!
Enjoy the Goodness.
I recently went toe-to-toe with Fail2ban version: 0.8.6-3 on an Ubuntu host.
Task: Stop intrusions into our host for w00tw00t and other stuff.
Preface: Create a copy of /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and make all your desired changes in /etc/fail2ban/jail.local
Create and edit an /etc/fail2ban/filter.d/w00tw00t.conf file with this content:
Code:
[Definition] docroot = /var/www/html badadmin = phpTest|PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|w00tw00t|zmeu|HNAP1 failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?" ignoreregex =
"badamin" are the strings of the attack vectors that we wish to scan the log(s) for.
"failregex" is the Regular Expression mechanism used to search the log(s).
"ignoreregex" would be a Regular Expression mechanism to exclude patterns from the search of the log(s).
You should test this using
Code:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/w00tw00t.conf
Code:
Summary ======= Addresses found: [1] 122.84.72.142 (Sun Feb 23 15:53:30 2014) 221.237.234.249 (Sun Feb 23 17:43:19 2014) 64.77.192.153 (Mon Feb 24 10:07:26 2014) 50.63.178.49 (Mon Feb 24 14:49:31 2014) 67.242.160.98 (Tue Feb 25 03:43:34 2014) 90.157.148.147 (Tue Feb 25 05:45:47 2014) 50.63.178.49 (Tue Feb 25 15:10:42 2014) 91.200.13.64 (Wed Feb 26 04:02:22 2014) 90.157.148.147 (Wed Feb 26 09:13:00 2014) ... Success, the total number of match is 9
You can even run it against old(er) logs to get a general feel for historical hits against the server using
Code:
fail2ban-regex /var/log/apache2/access.log.1 /etc/fail2ban/filter.d/w00tw00t.conf
Code:
mkdir /etc/fail2ban/blacklists touch /etc/fail2ban/blacklists/bad.w00tw00t
Code:
# Added on 02/26/2014 09:43:18 AM EST to prevent vuln scans [w00tw00t] # /etc/fail2ban/filter.d/w00tw00t.conf # /etc/fail2ban/action.d/w00tw00t.conf enabled = true filter = w00tw00t action = w00tw00t[name=w00tw00t, port="http,https"] sendmail-buffered[name=w00tw00t, lines=5, dest=root] logpath = /var/log/apache2/access.log* backend = polling findtime = 60 ; 1 minute - could be moot since maxtry is 1 bantime = 31556926 ; 1 year in seconds maxretry = 1 ignoreip = <ip1> <ip2> <etc>
/etc/fail2ban/action.d/w00tw00t.conf is our "action =" action directive and has this content:
Code:
[Definition] actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> uniq /etc/fail2ban/blacklists/bad.w00tw00t | while read IP; do iptables -I fail2ban-w00tw00t 1 -s $IP -j DROP; done /sbin/iptables-save > /root/safe.rules actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> /sbin/iptables-save > /root/safe.rules actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP echo <ip> >> /etc/fail2ban/blacklists/bad.w00tw00t /sbin/iptables-save > /root/safe.rules actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] # Defaut name of the chain name = default port = http protocol = tcp chain = INPUT
Code:
/sbin/iptables-save > /root/safe.rules
So let's check it using
Code:
iptables -L fail2ban-w00tw00t -n
Code:
target prot opt source destination DROP all -- 90.157.148.147 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 90.157.148.147 0.0.0.0/0 DROP all -- 50.63.178.49 0.0.0.0/0 DROP all -- 90.157.148.147 0.0.0.0/0 DROP all -- 5.200.12.69 0.0.0.0/0 DROP all -- 5.255.253.16 0.0.0.0/0
I force fail2ban on runlevels [234] by issuing
Code:
chkconfig fail2ban on
I had to populate /etc/fail2ban/blacklists/bad.w00tw00t manually using some grep'ing on the logs, or you could just collect IPs using
Code:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/w00tw00t.conf
Code:
fail2ban-client reload
I used
Code:
cat /etc/fail2ban/blacklists/bad.w00tw00t | while read IP; do iptables -I fail2ban-w00tw00t 1 -s $IP -j DROP; done
Code:
iptables-save > /path/to/safe.rules
References:
http://zach.seifts.us/posts/2013/07/...ans-persistent
http://www.foosel.org/blog/2008/04/b...using_fail2ban
http://linuxaria.com/howto/fail2ban-...ttacks?lang=en
http://www.tecmint.com/install-fail2...centos-fedora/
http://www.looke.ch/wp/list-based-pe...-with-fail2ban
and your favorite search engine.
Enjoy the Goodness!
I had to re-do this also for fail2ban 0.8.12
and apparently, I can skip the
Code:
/sbin/iptables-save > /root/safe.rules
Code:
/sbin/service iptables save
Less coding!
Enjoy the Goodness.
Total Comments 0