Fail2ban Configs Thread

Discussion in 'General' started by torontob, Feb 21, 2009.

  1. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    As discussed on other threads and mentioned by Dicko fail2ban only keeps the banned IPs until the system is rebooted (or the iptables retain the blocked ip???!!!). Can we change the ban to block the IP address for good? can this be done with adding a few lines (where and how?)? If there are 100 attacks on the system in a day and the list is going to grow to 100*365 in a year, would that be a problem (such a long list to check until permission to login is given...)?

    Thanks
     
  2. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    But there's not 100 attacks in a day, not to mention if you have external endpoints then you're potentially banning IPs you could login with. Most malicious users will try either a couple of quick attempts, or maybe for 1-2 hours if they're the persistant type and have reason to believe you have a connection they can use, or something along those lines ... Then they're not likely to ever come back.
     
  3. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Fail2ban has it's uses.

    Whilst I have a great respect for fail2ban I understand some have suspicions about it.

    Some have a permissive attitude to network security, some have a restrictive attitude. No blame, no shame either way.

    For those of us with a permissive nature I offer this nascent "one-liner" for peer revue. (it should identify any non-local registrations and expose any public information about the class C sized network it is in.
    Currently it doesn't actually DO anything.

    Code:
     asterisk -rx 'sip show peers' > sipout;for host in `cat sipout|sed -r  's/(^.*) (([0-9]{1,3}\.){1,4}).*$/\20/'|sort|uniq|sed  -e s'/^127.*//g' -e  s'/^192.168.*//g' -e  s'/^10.*//g'  -e  s'/^172.16.*//g'  |grep -i '\.'`; do echo "--------------INFO for $host---------------------";whois $host|egrep -v '^$';read -p  "Above info pertinent to $host, shall we Ban him? [n]";done
    
    It has a "whois" dependency which can be resolved by "yum install jwhois". The ultimate idea would be to send identified offenders to /etc/hosts.deny. or email someone if the registrations were to change.(sorry about the formatting, but otherwise it wouldn't technically be a one liner, and I don't trust this software to respect any line break formatting ;) :p )
     
  4. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the code Dicko. I will test this.

    Just to give you some statistics on three servers, there has been almost a 1000 unique IP attacks that I recorded. Mostly probably from compromised computers. The chance of blocking my own remote phone from Syria or Zhen chiang Song....is like getting hit by lighting for me.
     
  5. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    As I say, and always have, denial is not necessarily a river in Egypt, the threat is real and not subject to personal feelings or conclusions
    go ban those networks in hosts.deny
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Fail2ban:

    While asterisk attacks are relatively rare, the endless stream of ssh attacks fill up a mailbox quick.
    A quick fix and one that is probably a good idea anyway is to change the ssh port from 22 to something else (above 1024 is usually recommended )
    As part of general security script I am writing I offer this script to automate the process for lazy people or newbies, for review

    Code:
    #!/bin/bash
    export sshport=`grep "Port 22" /etc/ssh/sshd_config`
    if [ !  -z "$sshport" ]
    then
    echo -e "You are using ssh on a standard port !!This is a security risk!! It is suggested that you change it"
    newsshport=20
    while (  [ $newsshport -ne 22 ] && [   $newsshport -le  1024   ]   )
    do
    read  -p "choose a port above 1024, Change to: [22]: "  newsshport
    if [ -z "$newsshport" ]; then newsshport=22;fi
    if  ( ! `echo $newsshport  | grep "^[0-9]*$">aux`)
    then
      echo -n "Must be a number above 1024."
    fi
    done
    if  [  "$newsshport" -ne 22 ]
    then
    # uncomment next two lines to make it work
    #  sed -i "s/$sshport/Port $newsshport/" /etc/ssh/sshd_config
    #  service sshd restart
      echo "/etc/ssh/sshd_config will be edited from Port $sshport to Port $newsshport"
      echo "You can now  ssh into this machine with ssh <thismachine> -p $newsshport"
      echo "Please change your firewall/NAt settings if necessary"
    fi
    fi
    echo "Your ssh port is `grep "Port" /etc/ssh/sshd_config`"
    
     
  7. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    LOL...now you are reading my mind Dicko. I love to be the lazy guy and implement the ssh port change script RIGHT NOW!!!

    Thanks!!!!
     
  8. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    Works perfect. As advertised.

    Don
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Got to laugh at this one,

    If you don't "ignore" specifically 127.0.0.1 in fail2ban, and screw up an IAX2 modem,
    (my screw-up was that Elastix Fax, wont accept a non-numeric password for an IAX2 extension, which I
    previously set up when adding a "virtual modem" IAX2 extension (now THAT needs fixing, I'll report it))
    so I gave it a numeric password without thinking, figuring I'll fix it in the extension.

    Immediately 122,000,000 (YMMV, I am being facetious) "exceptions" in /var/log/asterisk/full, guess what!
    fail2ban bans asterisk in effect from itself!, So what you might say well ..
    DOS by fail2ban on the system itself as it tried to process ../asterisk/full growing to astronomic proportions,
    100% CPU usage and pissed off users! and a polite email from fail2ban saying it had banned the local host after 47000 failed logins, after I fixed my FU!
    (obviously 127.0.0.1 is a LOT quicker in response than a real network address, hence the overload.)
    (maybe not a problem without iaxmodem, or any other legitimate reason
    to have an extension on the localhost), sure bit me in the ass however!.

    (as I say , still stupid, but learning!)
     
  10. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    LOL :) that's a nice one. Who can think of that. I have been setting up my fail2ban to ban with even 1 wrong try so I got banned a few times but then I can release my ISP's IP and obtain a new one on reconnect. Isn't localhost by default to not be blocked in fail2ban? Where should 127.0.0.1 be added in the conf file if it is not there by default?

    This reminds of msgs that you get in CLI due to FOP running on a browser (if I am not wrong):

    == Connect attempt from '127.0.0.1' unable to authenticate
    == Connect attempt from '127.0.0.1' unable to authenticate
    == Connect attempt from '127.0.0.1' unable to authenticate
    == Connect attempt from '127.0.0.1' unable to authenticate

    Would these have any effect on fail2ban. At least they are pretty annoying and one of my client's always has FOP running making my life hard when I dial into asterisk console. Setting verbose low, I loose other info along with this. Do I have any options? Maybe move to Hudlite?
     
  11. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    Just to give an idea of the reaction speed of fail2ban

    just had an attack this morning.
    I've setup fail2ban to trigger after 5 wrong attempts.
    It effectively started blocking after 24 attempts.

    Not too bad, we'll see if this guy still try hacking me next month or sooner under another IP...
     

Share This Page