Differences

This shows you the differences between two versions of the page.

--- howto:fail2ban [2017/09/19 11:59] – continue with the doc ragnarok
+++ howto:fail2ban [2020/07/02 22:59] – add rules for hack / spam logs ragnarok
@@ Line 1: / Line 1: @@
 ====== Use Fail2Ban on GNU/Linux to block botnet's attacks ======
-Synchronet now have a built-it support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only. If you running another services/daemos on same server, you can use Fail2Ban and the to block at firewall level the ip address from the attacker.
+Synchronet now have a built-in support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only (which in most cases is sufficient).
+If you running another services/daemons on same server, you can use [[http://fail2ban.org|Fail2Ban]] and to block at firewall level the ip address from the attacker.
 You must config and setup the sbbs log file that are explained here: [[config:nix|UNIX]]
-These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.
+//NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.
+//
 First step, install fail2ban package:
@@ Line 23: / Line 26: @@
 findtime = 21600
 bantime = 21600
+[sbbs-hack]
+enabled  = true
+filter   = sbbs-hack
+action   = iptables-allports[name=SBBS-hack, protocol=all]
+logpath  = /sbbs/data/hack.log
+maxretry = 3
+findtime = 21600
+bantime = 21600
+[sbbs-smtp]
+enabled  = true
+filter   = sbbs-smtp
+action   = iptables-allports[name=SBBS-smtp, protocol=all]
+logpath  = /var/log/sbbs.log
+maxretry = 3
+findtime = 21600
+bantime = 21600
+[sbbs-spam]
+enabled  = true
+filter   = sbbs-spam
+action   = iptables-allports[name=SBBS-spam, protocol=all]
+logpath  = /sbbs/data/spam.log
+maxretry = 3
+findtime = 21600
+bantime = 21600
 </code>
 Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf
 <code>
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = Bad password from: <HOST>
             Throttling suspicious connection from: <HOST>
 ignoreregex =
+</code>
+Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf)
+<code>
+[INCLUDES]
+before = common.conf
+[Init]
+maxlines=6
+[Definition]
+failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n
+ignoreregex =
+</code>
+Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf)
+<code>
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = .* !TEMPORARY BAN of .* <HOST> .*
+            SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
+ignoreregex =
+</code>
+Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf)
+<code>
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\]
+            Host\: .* \[<HOST>\]
+ignoreregex =
 </code>
 Reload or restart the service and verify if you jail is loaded:
 <code>
 # fail2ban-client status
 Status
-|- Number of jail:      7
+|- Number of jail:	7
-`- Jail list:           ssh, asterisk-udp, *sbbs-main*, nginx-http-auth, ssh-ddos, asterisk-tcp
+`- Jail list:	asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, sshd
 </code>
+(*) your sbbs active jail's
 After some time, you can observe via iptables that severals ip address was blocked
 <code>
+# iptables -L -n
 Chain fail2ban-SBBS-main (1 references)
 target     prot opt source               destination
@@ Line 69: / Line 136: @@
 </code>
 ===== See Also =====
   * [[:howto:|howto index]]
-{{tag>}}
+{{tag>linux}}

Trace:

Differences

Navigation

Search

Toolbox