Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howto:fail2ban [2018/01/14 13:15] – [See Also] digital man | howto:fail2ban [2023/07/25 15:36] (current) – [Use Fail2Ban on GNU/Linux to block botnet's attacks] nick young | ||
---|---|---|---|
Line 26: | Line 26: | ||
findtime = 21600 | findtime = 21600 | ||
bantime = 21600 | bantime = 21600 | ||
+ | |||
+ | [sbbs-ddos] | ||
+ | enabled | ||
+ | filter | ||
+ | action | ||
+ | logpath | ||
+ | maxretry = 8 | ||
+ | findtime = 600 | ||
+ | bantime = 21600 | ||
+ | |||
+ | [sbbs-hack] | ||
+ | enabled | ||
+ | filter | ||
+ | action | ||
+ | logpath | ||
+ | maxretry = 3 | ||
+ | findtime = 21600 | ||
+ | bantime = 21600 | ||
+ | |||
+ | [sbbs-smtp] | ||
+ | enabled | ||
+ | filter | ||
+ | action | ||
+ | logpath | ||
+ | maxretry = 3 | ||
+ | findtime = 21600 | ||
+ | bantime = 21600 | ||
+ | |||
+ | [sbbs-spam] | ||
+ | enabled | ||
+ | filter | ||
+ | action | ||
+ | logpath | ||
+ | maxretry = 3 | ||
+ | findtime = 21600 | ||
+ | bantime = 21600 | ||
+ | |||
+ | |||
</ | </ | ||
Create the filter file / | Create the filter file / | ||
< | < | ||
- | [INCLUDES] | + | [INCLUDES] |
- | before = common.conf | + | before = common.conf |
- | [Definition] | + | [Definition] |
- | failregex = Bad password from: < | + | failregex = Bad password from: < |
- | Throttling suspicious connection from: < | + | Throttling suspicious connection from: < |
- | ignoreregex = | + | ignoreregex = |
+ | </ | ||
+ | |||
+ | Filter for ddos (/ | ||
+ | < | ||
+ | [INCLUDES] | ||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | failregex = !Maximum concurrent connections without login (.*) reached from host: < | ||
+ | ignoreregex = | ||
+ | </ | ||
+ | |||
+ | Filter for hack.log (/ | ||
+ | < | ||
+ | [INCLUDES] | ||
+ | before = common.conf | ||
+ | [Init] | ||
+ | maxlines=6 | ||
+ | [Definition] | ||
+ | failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[< | ||
+ | ignoreregex = | ||
+ | </ | ||
+ | |||
+ | Filter for smtp (/ | ||
+ | < | ||
+ | [INCLUDES] | ||
+ | before = common.conf | ||
+ | [Definition] | ||
+ | failregex = .* !TEMPORARY BAN of .* < | ||
+ | SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[< | ||
+ | ^.*\[< | ||
+ | ignoreregex = | ||
+ | </ | ||
+ | |||
+ | Filter for spam (/ | ||
+ | < | ||
+ | [INCLUDES] | ||
+ | before = common.conf | ||
+ | [Definition] | ||
+ | failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[< | ||
+ | Host\: .* \[< | ||
+ | ignoreregex = | ||
</ | </ | ||
Reload or restart the service and verify if you jail is loaded: | Reload or restart the service and verify if you jail is loaded: | ||
< | < | ||
+ | |||
# fail2ban-client status | # fail2ban-client status | ||
Status | Status | ||
- | |- Number of jail: 7 | + | |- Number of jail: 7 |
- | `- Jail list: ssh, asterisk-udp, *sbbs-main*, | + | `- Jail list: |
</ | </ | ||
+ | (*) your sbbs active jail's | ||
After some time, you can observe via iptables that severals ip address was blocked | After some time, you can observe via iptables that severals ip address was blocked | ||
Line 73: | Line 155: | ||
RETURN | RETURN | ||
+ | Chain fail2ban-SBBS-ddos (1 references) | ||
+ | target | ||
+ | REJECT | ||
+ | RETURN | ||
</ | </ | ||
- | |||
- | **ToDo:** | ||
- | |||
- | * Add regexp for spam.log and hack.log | ||
- | |||
===== See Also ===== | ===== See Also ===== | ||
* [[: | * [[: |