Fail2ban

Fail2Ban scans log files like or  and bans IP that makes too many password failures. It updates firewall rules or to reject IP address.

Requirements
Packages listed below may be need, depending on system requirements:


 * a mailer script
 * a mailer script
 * a mailer script
 * a mailer script

Installation
Emerge iptables

emerge python and enable USE flag.

emerge fail2ban

While using tcp-wrappers, banned IP addresses are managed in the file.

Configuration
By default all protocols in fail2ban are disabled. Main fail2ban configuration is held in Edit the initial DEFAULT section of to ignore failed authentication logins from localhost, and your LAN. In this example 192.168.1.0/24 network has been used. and variables are set in seconds.

Enabling SSH jail
Gentoo uses as default syslog daemon, which is also used it this article. If using other syslog servers please refer to man pages.

To enable the f.e. the ssh-jail edit in the  section and set

jail.conf

Fixing SSH logging with syslog-ng
By default fail2ban looks in for authentication messages. Syslog-ng authentication messages are written to. Modify and alter the  variable to the correct path.

Finally section should look like:

Adding courierimap and courierpop3
To add imap and pop3 support add following lines to file: Correct variable has to be set to ensure fail2ban is working properly. Usually is the default path for mail.

Emerge to get the  client working:

Using TCP wrappers
Below a example section for   configuration if fail2ban uses tcp-wrappers instead of iptables.

Create file :

Change permissions to make readable for daemons:

Finishing Up
Start fail2ban:

Add fail2ban to the default runlevel:

Verify fail2ban has been started:

root    10567     1  0 23:06 ? 00:00:00 /usr/bin/python2.6 /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

Check iptables in order to see if a SSH fail2ban rule has ben set:

fail2ban-SSH tcp  --  anywhere      anywhere         tcp dpt:ssh Chain fail2ban-SSH (1 references)

Examine fail2ban.log:

2010-10-20 23:06:54,770 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2010-10-20 23:06:54,771 fail2ban.jail  : INFO   Creating new jail 'ssh-iptables' 2010-10-20 23:06:54,772 fail2ban.jail  : INFO   Jail 'ssh-iptables' uses poller 2010-10-20 23:06:54,808 fail2ban.filter : INFO  Added logfile = /var/log/messages 2010-10-20 23:06:54,809 fail2ban.filter : INFO  Set maxRetry = 5 2010-10-20 23:06:54,810 fail2ban.filter : INFO  Set findtime = 600 2010-10-20 23:06:54,811 fail2ban.actions: INFO  Set banTime = 600

Now fail2ban should be ready to use, in example below you see a successful output of banned hosts:

2010-10-20 23:06:54,770 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2010-10-20 23:06:54,771 fail2ban.jail  : INFO   Creating new jail 'ssh-iptables' 2010-10-20 23:06:54,772 fail2ban.jail  : INFO   Jail 'ssh-iptables' uses poller 2010-10-20 23:06:54,808 fail2ban.filter : INFO  Added logfile = /var/log/messages 2010-10-20 23:06:54,809 fail2ban.filter : INFO  Set maxRetry = 5 2010-10-20 23:06:54,810 fail2ban.filter : INFO  Set findtime = 600 2010-10-20 23:06:54,811 fail2ban.actions: INFO  Set banTime = 600 2010-10-21 18:01:08,099 fail2ban.actions: WARNING [ssh-iptables] Ban 24.8.222.211 2010-10-21 18:01:21,138 fail2ban.actions: WARNING [ssh-iptables] Ban 71.17.240.82 2010-10-21 18:01:47,190 fail2ban.actions: WARNING [ssh-iptables] Ban 71.94.162.198 2010-10-21 18:02:45,277 fail2ban.actions: WARNING [ssh-iptables] Ban 112.116.154.174

Examine iptables again:

Chain INPUT (policy ACCEPT) target    prot opt source               destination fail2ban-SSH tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT) target    prot opt source               destination

Chain OUTPUT (policy ACCEPT) target    prot opt source               destination

Chain fail2ban-BadBots (1 references) target    prot opt source               destination RETURN    all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references) target    prot opt source               destination DROP      all  --  174.154.116.112.broad.km.yn.dynamic.163data.com.cn  anywhere DROP      all  --  71-94-162-198.dhcp.knwc.wa.charter.com  anywhere DROP      all  --  71-17-240-82.yktn.hsdb.sasknet.sk.ca  anywhere DROP      all  --  c-24-8-222-211.hsd1.co.comcast.net  anywhere

Notice the rule in the fail2ban-SSH chain has the blocked several hosts.

Fail2Ban doesn't start correctly after system crash or power loss
If fail2ban does not start correctly after a system crash or power loss, check to see whether the socket file still exists:

/var/run/fail2ban/fail2ban.sock

If it does, remove it manually:

Finally start fail2ban again

Add the following option to to prevent it from happening again.

The -x option will force fail2ban to overwrite the current stale socket.

If fail2ban does not work with ssh, examine whether IP-Addresses or DNS-Names are logged. If DNS names are logged in set following

Restart the sshd daemon