Forums

Resolved
0 votes
A combination of reading this thread and staring at a fail2ban RPM floating around in my development environment brought this on.

It is really only a matter of time before we roll fail2ban into ClearOS Enterprise, and now seems a good time as any to start tuning it for ClearOS. Snort can't be used to catch all of the login shenanigans going on, so implementing fail2ban is a good extra layer of defense. I have built a fail2ban package for hacking around, but there are two things missing:

- A well tested configuration for ClearOS (my first cut is below)
- A way to re-insert the blocked sites when the firewall is restarted (or the system is rebooted)

Suggestions are welcome! I'll certainly push whatever RPM comes out of this to the version 6 build system. I can also add it to the version 5.x repositories too.



# SSH
[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root]
logpath = /var/log/secure
maxretry = 5

# ProFTP
[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=root]
logpath = /var/log/messages
maxretry = 6

# Mail SASL
[sasl-iptables]

enabled = true
filter = sasl
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=root]
logpath = /var/log/maillog
Monday, November 14 2011, 02:21 PM
Share this post:
Responses (29)
  • Accepted Answer

    Friday, April 10 2015, 03:15 PM - #Permalink
    Resolved
    0 votes
    For http filtering I have the following in /etc/fail2ban/jail.local:
    [apache-nohome]

    enabled = true
    filter = apache-nohome
    action = iptables-multiport[name=apache-nohome, port="80,443"]
    logpath = /var/log/httpd/*error_log
    maxretry = 1
    bantime = 604800
    findtime = 172800
    and in /etc/fail2ban/filter.d/apache-nohome.local I have:
    [Definition]

    failregex = ^.* \[error\] \[client <HOST>\] File does not exist: .*\/(vtigercrm|admin|recordings|cgi-bin)$
    Note I use local files to override the conf files. I also sometimes struggle with their regex filters so you'll see that mine is somewhat simpler without so much at the beginning of the expression. It may, therefore, be more cpu intensive but I don't know. All I am trying to do is pick up the probes I see (vtigercrm is the most common) without killing someone (me) making a simple typo as I activate the block on the first occurrence.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 10 2015, 08:07 AM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    How did you configure fail2ban to look for the http stuff? I got the ssh stuff working fairly easily but I can't work out the http stuff.

    James
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 09 2015, 07:03 PM - #Permalink
    Resolved
    0 votes
    I still use it on 6.6 to block http probes and mail server naughties.
    The reply is currently minimized Show
  • Accepted Answer

    AlanM
    AlanM
    Offline
    Thursday, April 09 2015, 06:14 PM - #Permalink
    Resolved
    0 votes
    Thanks for reviving this old/dead thread. Has fail2ban continued to work so far after 6.6?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 01 2015, 02:38 PM - #Permalink
    Resolved
    0 votes
    Wiljon Saarloos wrote:
    Is this package still maintained?

    Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
    Requires: ed
    Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
    Requires: gamin-python

    Br,
    Wiljon


    Found the solution:
    Needed to install gamin-python and ed first manualy;

    yum install gamin-python --enablerepo=clearos-core
    yum install ed --enablerepo=clearos-core

    After this fail2ban would install without a glitch:
    yum install fail2ban --enablerepo=clearos-epel

    Br,
    Wiljon
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 01 2015, 02:25 PM - #Permalink
    Resolved
    0 votes
    Is this package still maintained?

    Get the folowing if I try to install fail2ban on ClearOS 6.5
    yum install fail2ban --enablerepo=clearos-epel
    --> Finished Dependency Resolution
    Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
    Requires: ed
    Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
    Requires: gamin-python


    Br,
    Wiljon
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 20 2013, 11:15 PM - #Permalink
    Resolved
    0 votes
    Baggypants12000 wrote:
    I'd like to install fail2ban but the clearos-epel repo is missing gamin-python
    Is it missing for everyone or just me?


    Hmm, it would appear to be a case of fail2enablerepo=clearos-core
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 20 2013, 10:53 PM - #Permalink
    Resolved
    0 votes
    I'd like to install fail2ban but the clearos-epel repo is missing gamin-python
    Is it missing for everyone or just me?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, March 12 2013, 11:16 AM - #Permalink
    Resolved
    0 votes
    yaye wrote:
    Speaking of Fail2ban, from the CentOS 6.4 release notes:

    An upgrade of existing installations of CentOS-6 can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. In turn this fact may break 3rd party applications (such as fail2ban). The bug was reported upstream . A workaround is to run
    restorecon -v /sbin/ip*-multi-1.4.7


    This may affect ClearOS 6.x users running fail2ban, once the upgrade to version 6.4 is out.


    Arrgghhhhhhhhhhh poo, could disable SEL really prefer not to.
    The reply is currently minimized Show
  • Accepted Answer

    yaye
    yaye
    Offline
    Tuesday, March 12 2013, 12:38 AM - #Permalink
    Resolved
    0 votes
    Speaking of Fail2ban, from the CentOS 6.4 release notes:

    An upgrade of existing installations of CentOS-6 can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. In turn this fact may break 3rd party applications (such as fail2ban). The bug was reported upstream . A workaround is to run
    restorecon -v /sbin/ip*-multi-1.4.7


    This may affect ClearOS 6.x users running fail2ban, once the upgrade to version 6.4 is out.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Monday, March 11 2013, 11:49 PM - #Permalink
    Resolved
    0 votes
    I think I may have solved this by trial and error.

    Does this look about right?
    [sasl-iptables]

    enabled = true
    filter = sasl
    backend = polling
    action = iptables-multiport[name=sasl, port="25,465,993,995", protocol=tcp]
    sendmail-whois[name=sasl, dest=root]
    logpath = /var/log/maillog
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Monday, March 11 2013, 10:02 PM - #Permalink
    Resolved
    0 votes
    Tim,

    If you are using IMAPS and POP3S for mail sending using SSL authentication, I suspect the port command should change from
    port=smtp,pop3
    to
    port=smtp,pop3s,imaps
    ?

    One thing confuses me. The port 465 has to be open for IMAPS mail sending using SSL. So that port isn't the same as IMAPS (993). Does the above port command with IMAPS cover that port too?

    I've googled this but not found an answer. Is this supposed to be changed somewhere else?

    Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 03 2012, 06:44 PM - #Permalink
    Resolved
    0 votes
    deleted - unnecessary
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 03 2012, 06:37 PM - #Permalink
    Resolved
    0 votes
    Tim Burgess wrote:
    Yes - I was pointing out that the IP was blocked quickly, but only for port 25, not POP3. That's why you see the other log entries, because the IP was still able to get to your POP3 service. The only way to confirm this is to check what commands you have in your jails.conf file :)


    I'm sorry, Tim. I couldn't come back to this earlier (health problem). I added pop3 protocol and, as far as I know, pop3 abusive connections are now triggering the ban. Strangely, since I made the change there was only one attempt and its IP was blocked correctly. Thanks for the settings you published.

    Kind regards,
    Artur

    ===
    deleted - unnecessary
    ===
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 13 2012, 07:41 PM - #Permalink
    Resolved
    0 votes
    Hi Tim. I've just read this and I'll answer soon, may be tomorrow. I have to see the F2B settings first. Thanks! :)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 11 2012, 12:46 PM - #Permalink
    Resolved
    0 votes
    Yes - I was pointing out that the IP was blocked quickly, but only for port 25, not POP3. That's why you see the other log entries, because the IP was still able to get to your POP3 service. The only way to confirm this is to check what commands you have in your jails.conf file :)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 11 2012, 12:39 PM - #Permalink
    Resolved
    0 votes
    HI, Tim. I'm not using your jails. Sorry for not being clear in my post. I'm not near the server so that I could show you the settings. Anyway I only wanted to point that fail2ban seems to work sometimes but not when the connection interval is too short. Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 11 2012, 12:26 PM - #Permalink
    Resolved
    0 votes
    Hi Artur, what Fail2ban jails are you using? your log shows attempted connections to POP3 not SMTP...Fail2ban in my examples on the previous page was for SMTP only, and therefore Fail2ban would only block on that particular port

    It can of course be modified:-
    [sasl-iptables]

    enabled = true
    filter = sasl
    action = iptables-multiport[name=sasl, port="smtp,pop3", protocol=tcp]
    sendmail-whois[name=sasl, dest=root]
    logpath = /var/log/maillog
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, November 23 2011, 09:41 PM - #Permalink
    Resolved
    0 votes
    Hi, I think Pete is rolling this up into a build for ClearOS - I don't know if he intends to make it customisable from the webconfig. If not then I may have a go :)

    To prevent loss of the fail2ban tables after a firewall restart I also added to /etc/rc.d/rc.firewall.local
    /sbin/service fail2ban condrestart

    Then edited /etc/rc.d/init.d/fail2ban and added to permit a conditional restart
      condrestart)
    getpid
    if [ -n "$pid" ]; then
    $0 stop
    $0 start
    RETVAL=$?
    fi
    ;;

    Now if only I could figure out why it won't manually block an IP using fail2ban-client, then I have a script which exports the existing blocks when it shuts down, and then attempts to reblock them on startup
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 18 2011, 09:31 PM - #Permalink
    Resolved
    0 votes
    Hi tim, are you planning on turning this into an installable app by any chance so we can simply pull it down from the community repo

    Or will we see some sort of integration into the web config
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 18 2011, 06:44 PM - #Permalink
    Resolved
    0 votes
    I also have a hack to the init script so that it restores blocks after a restart, but for some reason the manual block using fail2ban-client isn't working
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 18 2011, 05:43 PM - #Permalink
    Resolved
    0 votes
    Merci! Release early, release often - so I guess I'll start cracking on creating the RPM.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 17 2011, 10:59 PM - #Permalink
    Resolved
    0 votes
    p.s anyone wishing to test out the regex filters - which is useful if things don't seem to be working, run:-
    fail2ban-regex /path/to/log/file /etc/fail2ban/filter.d/test.conf

    Replace test.conf with the regex filter you are trying to test, and provide the full path to your log file
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 17 2011, 10:57 PM - #Permalink
    Resolved
    0 votes
    Peter - i've been messing around with Fail2ban (based on the EPEL version 0.8.4) and need to make the following regex filter adjustments so that they are compatible with the way ClearOS logs, and to make sure it picks up the Flexshares FTP / web

    /etc/fail2ban/jail.conf
    ignoreip = 127.0.0.1  
    # add other subnets to prevent your LAN being blocked? 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8

    [ssh-iptables]
    enabled = true
    filter = sshd
    action = iptables[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH, dest=root]
    logpath = /var/log/secure
    maxretry = 5

    [proftpd-iptables]
    enabled = true
    filter = proftpd
    action = iptables-multiport[name=ProFTPD, port="ftp,2121"]
    sendmail-whois[name=ProFTPD, dest=root]
    logpath = /var/log/secure

    [sasl-iptables]
    enabled = true
    filter = sasl
    action = iptables[name=sasl, port=smtp, protocol=tcp]
    sendmail-whois[name=sasl, dest=root]
    logpath = /var/log/maillog

    [postfix-iptables]
    enabled = true
    filter = postfix
    action = iptables[name=postfix, port=25, protocol=tcp]
    sendmail-whois[name=postfix, dest=root]
    logpath = /var/log/maillog


    /etc/fail2ban/filter.d/sasl.conf
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

    /etc/fail2ban/filter.d/postfix.conf
    failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
    reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
    reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

    /etc/fail2ban/filter.d/proftpd.conf
    failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
    ^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
    ^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
    ^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, November 16 2011, 11:06 AM - #Permalink
    Resolved
    0 votes
    nano /etc/ssh/sshd_config

    from mine

    # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.
    Port 2222
    #Protocol 2,1
    Protocol 2

    once your done

    /etc/init.d/ssh restart

    now connect to ssh with the port prefix

    ssh -p2222 mycleardomain.com -l sshenableduser

    Or use @
    The reply is currently minimized Show
  • Accepted Answer

    yaye
    yaye
    Offline
    Wednesday, November 16 2011, 03:10 AM - #Permalink
    Resolved
    0 votes
    Peter Baldwin wrote:
    Thanks for the tips!

    You're welcome.

    PS there is an "SSH Server" app that will appear in the next beta. It lets adminstrators tweak:

    - The port number (with a little helper to remind users about the firewall)
    - Root login policy
    - Password policy (i.e. allow key-based authentication only)

    Great, but if this continues, I'll forget how to use nano. :)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 15 2011, 06:27 PM - #Permalink
    Resolved
    0 votes
    Thanks for the tips!

    PS there is an "SSH Server" app that will appear in the next beta. It lets adminstrators tweak:

    - The port number (with a little helper to remind users about the firewall)
    - Root login policy
    - Password policy (i.e. allow key-based authentication only)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 15 2011, 11:31 AM - #Permalink
    Resolved
    0 votes
    Max retry for me is 3 as well

    maxretry = 3

    Also changing the default port its running on cuts down a huge bulk of automated brute force attempts then add fail2ban is the icing on the cake
    The reply is currently minimized Show
  • Accepted Answer

    yaye
    yaye
    Offline
    Monday, November 14 2011, 09:42 PM - #Permalink
    Resolved
    0 votes
    For our home server, I added a bantime. I was very mean, for those who couldn't login after maxretry = 3 , I would ban them for 24 hours (bantime = 86400). :)
    The reply is currently minimized Show
Your Reply