Copyright (C) 2008-2020 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
If you allow services like ssh in the internet, probably you now log-entries like
[...]
Jul 17 15:18:56 silent-gabosh sshd[4401]: Invalid user test4 from XXX.XXX.XXX.XXX
Jul 17 15:18:58 silent-gabosh sshd[4405]: Invalid user test5 from XXX.XXX.XXX.XXX
Jul 17 15:19:00 silent-gabosh sshd[4411]: Invalid user test6 from XXX.XXX.XXX.XXX
Jul 17 15:19:02 silent-gabosh sshd[4417]: Invalid user test7 from XXX.XXX.XXX.XXX
Jul 17 15:19:04 silent-gabosh sshd[4421]: Invalid user test8 from XXX.XXX.XXX.XXX
Jul 17 15:19:05 silent-gabosh sshd[4427]: Invalid user test9 from XXX.XXX.XXX.XXX
Jul 17 15:19:07 silent-gabosh sshd[4431]: Invalid user test10 from XXX.XXX.XXX.XXX
Jul 17 15:19:09 silent-gabosh sshd[4435]: Invalid user admin1 from XXX.XXX.XXX.XXX
Jul 17 15:19:11 silent-gabosh sshd[4439]: Invalid user admin2 from XXX.XXX.XXX.XXX
Jul 17 15:19:13 silent-gabosh sshd[4443]: Invalid user admin3 from XXX.XXX.XXX.XXX
Jul 17 15:19:15 silent-gabosh sshd[4447]: Invalid user admin4 from XXX.XXX.XXX.XXX
Jul 17 15:19:17 silent-gabosh sshd[4451]: Invalid user admin5 from XXX.XXX.XXX.XXX
Jul 17 15:19:19 silent-gabosh sshd[4455]: Invalid user admin6 from XXX.XXX.XXX.XXX
[...]
If you want to use this solution you need the following howto(s) finished:
emerge net-analyzer/fail2ban emerge net-firewall/iptables
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/cron.daily/f2bcheck
Changed on 07.06.10I realized that fail2ban stops working sometimes (why ever). So built this small check CronJob
#!/bin/bash if ps ax | grep fail2ban | grep -v grep >/dev/null then echo "OK" >/dev/null else echo "NOT RUNNING `date`" >>/var/log/fail2bancheck.log rm -f /var/run/fail2ban/fail2ban.sock /etc/init.d/fail2ban stop >/dev/null 2>/dev/null /etc/init.d/fail2ban zap >/dev/null 2>/dev/null /etc/init.d/fail2ban start >/dev/null 2>/dev/null fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/action.d/sendmail-common.local
Changed on 25.02.14No mail at startup/shutdown
[Definition] actionstart = actionstop =
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.conf
Changed on 25.02.14Ignore local Networks
ignoreip = 127.0.0.1/8After change
ignoreip = 127.0.0.1/8 my.lan.network.ip/16 172.24.0.0/16 172.25.0.0/16
Destination eMail
destemail = mail@example.comAfter change
destemail = mail@example.com
Sender eMail
sender = mail@example.comAfter change
sender = fail2mail@example.com
Sets Default action to Mail, Whois, Logs
action = %(action_)sAfter change
action = %(action_mwl)s
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.d/gabosh.conf
Changed on 25.02.14Some jails for different serices
#### SSH #### [sshd] enabled = true port = ssh logpath = /var/log/sshd.log #### MAIL #### [postfix] enabled = true port = smtp,465,submission logpath = /var/log/maillog.log #[postfix-rbl] #enabled = true #port = smtp,465,submission #logpath = /var/log/maillog.log #maxretry = 1 [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log [cyrus-imap] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log [sieve] port = smtp,465,submission,2000 logpath = /var/log/maillog.log #### WEB #### [apache-auth] enabled = true port = http,https logpath = /var/log/apache2/error_log [apache-badbots] enabled = true logpath = /var/log/apache2/access_log maxretry = 1 [php-url-fopen] enabled = true logpath = /var/log/apache2/access_log maxretry = 1 [apache-noscript] enabled = true port = http,https logpath = /var/log/apache2/error_log maxretry = 6 #### CHAT #### #[ejabberd-auth] #enabled = true #port = 5222 #logpath = /var/log/jabber/ejabberd.log
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add fail2ban
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.