License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: Stopping brute-force-attacks with fail2ban for Gentoo Linux

If you allow services like ssh in the internet, probably you now log-entries like

[...]
Jul 17 15:18:56 silent-gabosh sshd[4401]: Invalid user test4 from XXX.XXX.XXX.XXX
Jul 17 15:18:58 silent-gabosh sshd[4405]: Invalid user test5 from XXX.XXX.XXX.XXX
Jul 17 15:19:00 silent-gabosh sshd[4411]: Invalid user test6 from XXX.XXX.XXX.XXX
Jul 17 15:19:02 silent-gabosh sshd[4417]: Invalid user test7 from XXX.XXX.XXX.XXX
Jul 17 15:19:04 silent-gabosh sshd[4421]: Invalid user test8 from XXX.XXX.XXX.XXX
Jul 17 15:19:05 silent-gabosh sshd[4427]: Invalid user test9 from XXX.XXX.XXX.XXX
Jul 17 15:19:07 silent-gabosh sshd[4431]: Invalid user test10 from XXX.XXX.XXX.XXX
Jul 17 15:19:09 silent-gabosh sshd[4435]: Invalid user admin1 from XXX.XXX.XXX.XXX
Jul 17 15:19:11 silent-gabosh sshd[4439]: Invalid user admin2 from XXX.XXX.XXX.XXX
Jul 17 15:19:13 silent-gabosh sshd[4443]: Invalid user admin3 from XXX.XXX.XXX.XXX
Jul 17 15:19:15 silent-gabosh sshd[4447]: Invalid user admin4 from XXX.XXX.XXX.XXX
Jul 17 15:19:17 silent-gabosh sshd[4451]: Invalid user admin5 from XXX.XXX.XXX.XXX
Jul 17 15:19:19 silent-gabosh sshd[4455]: Invalid user admin6 from XXX.XXX.XXX.XXX
[...]

fail2ban is a piece of software which blocks this attacking IPs after some failed tries and enables them a after some time again. It works not only for ssh, so you can use it for FTP and Mailservers too. fail2ban blocks IPs with iptables commands.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-analyzer/fail2ban
emerge net-firewall/iptables

Changes in /etc/cron.hourly/f2bcheck

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/cron.hourly/f2bcheck

Changed on 07.06.10
Issued by olli
Beginning line 2

I realized that fail2ban stops working sometimes (why ever). So built this small check CronJob

#!/bin/bash
if ps ax | grep fail2ban | grep -v grep >/dev/null
then
 echo "OK" >/dev/null
else
 echo "NOT RUNNING `date`" >>/var/log/fail2bancheck.log
 rm -f /var/run/fail2ban/fail2ban.sock
 /etc/init.d/fail2ban stop >/dev/null 2>/dev/null
 /etc/init.d/fail2ban zap >/dev/null 2>/dev/null
 /etc/init.d/fail2ban start >/dev/null 2>/dev/null
fi

Changes in /etc/fail2ban/action.d/sendmail-common.local

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fail2ban/action.d/sendmail-common.local

Changed on 25.02.14
Issued by olli
Beginning line 1

No mail at startup/shutdown

[Definition]
actionstart =
actionstop =

Changes in /etc/fail2ban/jail.d/gabosh.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fail2ban/jail.d/gabosh.conf

Changed on 25.02.14
Issued by olli
Beginning line 1

Some jails for different serices


#### SSH ####

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log

[sshd-ddos]
enabled = true
port = ssh
logpath = /var/log/auth.log

#### MAIL ####

[postfix]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog.log

[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog.log
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000
logpath  = /var/log/maillog.log

[cyrus-imap]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000
logpath  = /var/log/maillog.log

[sieve]
port   = smtp,465,submission,2000
logpath = /var/log/maillog.log

#### WEB ####

[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error_log

[apache-badbots]
enabled = true
logpath = /var/log/apache2/access_log
maxretry = 1

[php-url-fopen]
enabled = true
logpath = /var/log/apache2/access_log
maxretry = 1

[apache-noscript]
enabled = true
port = http,https
logpath  = /var/log/apache2/error_log
maxretry = 6

[horde]
enabled = true
filter = horde
port = http,https
logpath = /opt/horde/horde.log

[hordetest]
enabled = true
filter = horde
port = http,https
logpath = /opt/horde-test/horde.log

#### CHAT ####

#[ejabberd-auth]
#enabled = true
#port = 5222
#logpath = /var/log/jabber/ejabberd.log


Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add fail2ban 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here