Fail2Ban or Similar build for slackware 14-Current
 

Looking around for some moreinfo on the Fail2Ban for slackware 14-Current.

Saw that it was available for Slackware 13.1 but dont know how good that will work with 14.

Dont need to be that program but looking for something similar to run that will automatically ban IP's that fails to authenticate after 3 times.

Have some nightly activity from different sources trying to brute force my password for root.

I have been manually added them to the iptables to block them but that is very time consuming and retroactive.

Any tips and links would be much appreciated.

/Joakim

A little search got me this:
Or you can try Ossec. http://www.ossec.net/

Source:
http://serverfault.com/questions/419...o-many-hits-on
Guess you should read up here

There exists a SlackBuild for fail2ban: http://slackbuilds.org/repository/14...work/fail2ban/
It compiles on Slackware -current, but I have not tested to run it.

By the way, there is no such thing as Slackware 14-current, you run either 14 or -current, but not both.

First of all, a pure iptables "solution" will operate at the packet level and will not be checking for "IP's that fails to
authenticate after 3 times." That occurs at the application layer and requires an application layer solution (see list at end).

What we can check for at the packet level is incoming new connections in rapid succession to port 22 from the same IP. We
can then assume this behavior represents an attack.

The ruleset shown in post #2 is one approach to solving this. It specifies a window of time (in the above example that is one
minute) in which connection attempt number five and above get dropped.

I argue this is inadequate because the IP gains access once again after enough time passes. In other words, in that example, if the
attacker waits one minute since his last blocked attempt, the effective hit count is 0 and the attacker gets 4 more attempts before
a new block. Rinse & repeat.

My ruleset below uses a two-tier framework to establish a permanent blacklist (until rules are flushed).

The logic is very simple: IPs that try to connect to port 22 four times in 30 seconds get blacklisted permanently (until rules are flushed).
As opposed to the example in post #2, this blocks attempt number four and above (not five and above). Do note I have two different
objects which share the name BLACK: 1) a blacklist of IPs, and 2) a user-defined chain. They're different.

Application level solutions generally rely on parsing log output. Some you can check out: fail2ban (already mentioned), blackssh,
and DenyHosts.

--mancha

I suggest you review your need to allow root access with only password protection. Slowing brute force attempts will not stop them. http://www.linuxquestions.org/questi...tempts-340366/

I am the SBo maintainer of fail2ban. I've been running fail2ban on my personal server with -current for a while now and no issues to report. Fail2ban has had quite some changes recently and I would recommend you also look into the recidive jail in addition to other traditional jails.

recidive jail looks at previous fail2ban logs and blocks repeat offenders for longer time. Works quite nicely.

I just installed fail2ban from the slackbuilds.org repository a couple of weeks ago. The build went smoothly, thank you tuxrules for the SBo package.

In the short time I've used it, I also have no issues to report. I heartily recommend fail2ban. You don't need to be an iptables wizard to use it. It's easy to configure and it's easy to extend with custom ban actions and startup actions. I added a ban action script to write a banned IP address to a file, and a startup action script to read the file during fail2ban startup and recreate the iptables rules to reject packets coming from the saved IP addresses. This gives me a permanent IP address ban that survives (is recreated) across a system reboot or a restart of fail2ban, more persistent than even the recidive jail.

Is this something you would like to share with me ?

It would be higly appreciated. I tried to install the Fail2Ban from the slackbuilds.org and worked fine untill i rebooted the server and now i get error messages when trying to start it.

Below is the error message

/etc/rc.d/rc.fail2ban start
Starting fail2ban:
Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 426, in <module>
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 395, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 184, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 399, in __readConfig
self.__configurator.readAll()
File "/usr/share/fail2ban/client/configurator.py", line 62, in readAll
self.__jails.read()
File "/usr/share/fail2ban/client/jailsreader.py", line 49, in read
return ConfigReader.read(self, "jail")
File "/usr/share/fail2ban/client/configreader.py", line 70, in read
config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.7/ConfigParser.py", line 305, in read
self._read(fp, filename)
File "/usr/lib64/python2.7/ConfigParser.py", line 512, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.conf, line: 12
'enabled = true\n'


Not a super user on slackware so i might have done someting wrong when installing it but i made the slackinstall using doinst and chown +x and ran it and then used pkgtool to install the package and it worked fine. After rebooting the server i get the above message.

Any help will be awesome.

/Joakim

I don't use fail2ban, but reading the error seems like you are having a problem with a config file (maybe something happened when you edited it): maybe using the stock one ( /etc/fail2ban/jail.conf ) could help.

It sounds as if you didn't do a standard SlackBuild install.

The standard method to install a SlackBuild package is to download the SlackBuild tar file to your build location (I set up a new folder for each package), and unarchive it. Then go into the subdirectory that tar creates, where the fail2ban.SlackBuild file is, and download or wget the program source tar file into that directory. chmod the SlackBuild script to make it executable, then "su -" so you get the proper interactive login paths and umask for root. Then execute the SlackBuild script as root. Once the package is built, use installpkg or upgradepkg --install-new to install it. You also do this as root.

Then for this particular package, you need to read the README.SBo and follow the instructions in there too.

Why don't you try re-installing as described, and see if you still get those errors.

OK mad ethe package and all that good stuff.

used installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

Get this feedback from it :

installpkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz
Cannot install --install-new: file not found
Verifying package fail2ban-0.8.9-noarch-1_SBo.tgz.
Installing package fail2ban-0.8.9-noarch-1_SBo.tgz:
PACKAGE DESCRIPTION:
# Fail2Ban (bans IP that makes too many password failures)
#
# Fail2Ban scans log files like /var/log/pwdfail and bans IP
# that makes too many password failures. It updates firewall
# rules to reject the IP address. These rules can be defined by
# the user. Fail2Ban can read multiple log files such as sshd,
# Apache web server, postfix and others.
#
# Home Page: http://www.fail2ban.org/wiki/index.php/Main_Page
#
Executing install script for fail2ban-0.8.9-noarch-1_SBo.tgz.
Package fail2ban-0.8.9-noarch-1_SBo.tgz installed.

I check to see if its there:

slackpkg search fail2ban

Looking for fail2ban in package list. Please wait... DONE

No package name matches the pattern.

root@ftp:/tmp# slackpkg search fail2ban*

Looking for fail2ban-0.8.9-noarch-1_SBo.tgz in package list. Please wait... DONE

No package name matches the pattern.

I then try the upgradepkg and get this.

upgradepkg --install-new fail2ban-0.8.9-noarch-1_SBo.tgz

+==============================================================================
| Skipping package fail2ban-0.8.9-noarch-1_SBo (already installed)
+==============================================================================

I obviously are doing something wrong here but dont know what it is.

Again any help is higly appreciated.

/Joakim

Update...

Its working but as soon as i try to enable the ssh-iptables it goes nuts.

I guess i will just try to set ssh-iptables = true and see what happens from there.

Wish i knew more about this but learning it all as i go.

I appreciate all the help and will give kudos on the help i have been given.

/Joakim

Your problems start with a misreading of Z038s instructions in post #10. The commands & are identical if a package has NOT been installed. So, what was trying to do was install two packages, one named "--install-new", the other "fail2ban-0.8.9-noarch-1_SBo.tgz". It, obviously, failed to install the first; but did install the second. All good. Your problem with the pkgtool command is that it only works with Slackware packages, so not with SBo packages. Check the "search" definition in "man slackpkg". You do have fail2ban installed, as evidenced by the failure of upgradepkg. You can find it with Edit: Your last post came in while I was still writing. is not very helpful as far as being able to determine what is wrong. If you really want help, give a much better description of what is happening, including error messages, etc.

Regards,
Bill

You shouldn't need to modify fail2ban.conf, but if you do, copy it as fail2ban.local and modify it instead of the original. Fail2ban treats everything in a "local" file as an override to the corresponding "conf" file.

Make a copy of jail.conf and call it jail.local. Set some reasonable defaults in the [DEFAULT] section, and add your own network onto the ignoreip statement if you want to exempt systems on your local network from being banned. This is entirely subjective, but I thought that the fail2ban defaults for bantime, findtime, and maxretry were too lenient, so I beefed them up. This is what I have for default settings:

Each of the sections that follow the [DEFAULT] section have an "enabled = false" statement that makes them inactive. For any jail you want to activate, change it to "enabled = true". Then change any other settings in each enabled section to meet your needs. I mainly changed bantime and/or findtime and/or maxretry, and also generally either changed or added an email notification.

By way of example, here is what I enabled and modified. The rest either didn't apply to me, or I didn't understand what it was for. :-)

If you still have problems, please post the specific messages you get or explain more thoroughly what is going on.