Friday, October 26, 2007

fail2ban - Yet another tool to protect your server


What is Fail2ban?

Fail2ban scans log files like /var/log/auth.log or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2ban can read multiple log files such as sshd or Apache web server ones. You need python >= 2.3, gamin >= 0.0.21 (optional) and one of these : iptables, shorewall or tcpwrapper.

What does the version number of Fail2ban mean?

The structure of the version number is major.minor.revision. Currently the major number is 0. The policy for minor is:

  • odd numbers (0.5, 0.7, etc) are development versions.
  • even numbers (0.6, 0.8, etc) are stable versions.
Fail2ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Where can I get it?

fail2ban source can be downloaded from here. Distro-specific packages can be downloaded from http://www.fail2ban.org/wiki/index.php/Downloads. You might want to try using package manager first. It might be in your distros repositories. Chances are it is the older version. That's why I like to install from source :). For debianista, apt-get install fail2ban will take care of it.

Installation

As of this writing, the latest version is 0.8.1.
1. Extracting : tar xjvf fail2ban-0.8.1.tar.bz2
2. cd fail2ban-0.8.1
3. python setup.py install

This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are placed into /usr/bin.

Fail2Ban should be correctly installed now. Just type:

fail2ban-client -h

to see if everything is alright. You should always use fail2ban-client and never call fail2ban-server directly. UPDATE: to be able to activate and control fail2ban server, you need to copy init file specific for your distro in fail2ban-0.8.1/files directory. For Mandriva, you can use RedHat one. Copy file redhat-initd to /etc/init.d directory :

cp redhat-initd /etc/init.d/fail2ban

There are also init files for SuSe and Gentoo.

Configuration

1. Edit file /etc/fail2ban/fail2ban.conf using your favorite editor. I used joe for it. So:

cd /etc/fail2ban
joe fail2ban.conf

In this file, you may want to increase the loglevel to 4 for more verbose log for troubleshooting purposes.

2. Edit file /etc/fail2ban/jail.conf
joe jail.conf

In this file, uncomment sections that you want to activate and change enabled = false to enabled = true. Say, you want fail2ban to monitor port 22 (ssh) for login attempts :

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/auth.log
maxretry = 4

There are many sections in there for monitoring other ports like ftp, http, etc. It's up to you to monitor which ports. Just uncomment the sections you want and change enabled = true to activate in those sections. If you want to be notified, uncomment the commented line above and replace your email address for dest (and for sender too to reflect your system mails). I change the log path to /var/log/auth.log because this is the authentication log for my system. Change it accordingly for your system. All fail2ban actions are logged and can be reviewed by tail /var/log/fail2ban.log. Example of fail2ban.log on my system:

-- START --
2007-10-26 00:24:56,880 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 00:24:56,880 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 00:24:56,881 fail2ban.filter : DEBUG Setting file position to 783921 for /var/log/auth.log
2007-10-26 00:24:56,882 fail2ban.filter : DEBUG Found 200.32.73.4
2007-10-26 00:24:56,883 fail2ban.filter : DEBUG Found 200.32.73.4
2007-10-26 00:24:56,883 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 00:24:57,868 fail2ban.actions: WARNING [ssh-iptables] Ban 200.32.73.4
2007-10-26 00:24:57,868 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-26 00:24:57,886 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-26 00:24:57,886 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 200.32.73.4 -j DROP
2007-10-26 00:24:57,891 fail2ban.actions.action: DEBUG iptables -I fail2ban-SSH 1 -s 200.32.73.4 -j DROP returned successfully
2007-10-26 00:26:57,873 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 00:26:57,873 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 00:26:57,874 fail2ban.filter : DEBUG Setting file position to 784190 for /var/log/auth.log
2007-10-26 00:26:57,875 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 00:34:58,860 fail2ban.actions: WARNING [ssh-iptables] Unban 200.32.73.4
2007-10-26 00:34:58,860 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH
2007-10-26 00:34:58,867 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-SSH returned successfully
2007-10-26 00:34:58,867 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 200.32.73.4 -j DROP
2007-10-26 00:34:58,872 fail2ban.actions.action: DEBUG iptables -D fail2ban-SSH -s 200.32.73.4 -j DROP returned successfully
2007-10-26 06:07:39,998 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 06:07:39,998 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 06:07:39,999 fail2ban.filter : DEBUG Setting file position to 784279 for /var/log/auth.log
2007-10-26 06:07:40,000 fail2ban.filter.datedetector: DEBUG Sorting the template list
2007-10-26 11:23:50,076 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2007-10-26 11:23:50,087 fail2ban.filter : DEBUG Opened /var/log/auth.log
2007-10-26 11:23:50,116 fail2ban.filter : DEBUG Setting file position to 784372 for /var/log/auth.log
2007-10-26 11:23:50,123 fail2ban.filter.datedetector: DEBUG Sorting the template list
-- End--

As you can see above, there's IP being banned by fail2ban by way of iptables and after a period of time, it will be unbanned. All these can be modified in /etc/fail2ban/jail.conf

To see whether the actions really happen, see iptables rules:

iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
REJECT all -- 85.185.250.20 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Please read the documentations in the tarball for latest updates and on how to configure it. With fail2ban, it is another weapon for system administrators to combat brute-force attacks. Enjoy :)

Thursday, October 4, 2007

apt-get remove Fedora; apt-get install Debian

After giving a thought about possibility of converting my Fedora box to Debian,yesterday morning, with DVD I got from LFY, I gave it a try. Why? I fed-up with problems like crippled mp3 support (for obvious reason for a pure OSS distro),slow and error-prone yum and problem with incompatible and conflicted packages from 3rd-party repositories. My journey with Fedora has ended. Maybe I'll meet her again in the future :). We'll see.

Debian 4.0 aka Etch
Installation went smooth in text mode. It took longer as I was expecting because without my knowledge,I opted to download updates from internet during installation. There was a flaw when I tried installing LILO boot loader. The installer said it failed to install. I opted to continue and after rebooting, the boot loader was fine. GNOME was the default Window Manager installed when I select the Desktop installation but as usual, with beloved apt-get, I could install other window managers too.

Some basic commands

apt-get update <--- find new updates if any. apt-get install package_name <--- install a package. Dependencies will be taken care of. apt-get --reinstall install package_name <--- reinstall a package. apt-get remove package_name <--- uninstall a package but the config files remain intact. apt-get --purge remove package_name <--- completely uninstall a package. apt-get -u dist-upgrade <--- completely upgrade the whole distribution to the latest. dpkg -i package_name.deb <-- install a local package apt-get reminds me of slapt-get in Slackware world. slapt-get got the idea from this excellence apt-get.


A few confusing matters
Firstly, I couldn't see Firefox in GNOME or KDE menu. So I fired up apt-get. To my surprise, it had been installed. I found out that it had been 'rebranded' to IceWeasel. What a name? More info on this matter can be read here.

Secondly, I couldn't find pidgin. Instead, the old GAIM was installed. After googling, pidgin could be installed by downloading from here.

The experience so far is good. It has its share of Ubuntu which is one of my favorite distro too. I like the responsiveness of KDE and GNOME. It seems quicker than on Fedora and of course, apt-get is a lot quicker than yu
m.

Renew letsencrypt ssl certificate for zimbra 8.8.15

 Letsencrypt certs usually consists of these files: 1. cert.pem 2. chain.pem 3. fullchain.pem 4. privkey.pem I am not going to discuss about...