Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
howto:fail2ban [2017/09/19 12:02] ragnarokhowto:fail2ban [2023/07/25 15:36] (current) – [Use Fail2Ban on GNU/Linux to block botnet's attacks] nick young
Line 1: Line 1:
 ====== Use Fail2Ban on GNU/Linux to block botnet's attacks ====== ====== Use Fail2Ban on GNU/Linux to block botnet's attacks ======
  
-Synchronet now have a built-it support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only. If you running another services/daemons on same server, you can use Fail2Ban and to block at firewall level the ip address from the attacker.+Synchronet now have a built-in support to block incomming connections (see [[howto:block-hackers|Blocking "Hackers"]]) but it's feature protect SBBS services only (which in most cases is sufficient) 
 + 
 +If you running another services/daemons on same server, you can use [[http://fail2ban.org|Fail2Ban]] and to block at firewall level the ip address from the attacker.
  
 You must config and setup the sbbs log file that are explained here: [[config:nix|UNIX]] You must config and setup the sbbs log file that are explained here: [[config:nix|UNIX]]
Line 7: Line 9:
 //NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc. //NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.
 // //
 +
 First step, install fail2ban package: First step, install fail2ban package:
  
Line 23: Line 26:
 findtime = 21600 findtime = 21600
 bantime = 21600 bantime = 21600
 +
 +[sbbs-ddos]
 +enabled  = true
 +filter   = sbbs-ddos
 +action   = iptables-allports[name=SBBS-ddos, protocol=all]
 +logpath  = /var/log/sbbs.log
 +maxretry = 8
 +findtime = 600
 +bantime = 21600
 +
 +[sbbs-hack]
 +enabled  = true
 +filter   = sbbs-hack
 +action   = iptables-allports[name=SBBS-hack, protocol=all]
 +logpath  = /sbbs/data/hack.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +[sbbs-smtp]
 +enabled  = true
 +filter   = sbbs-smtp
 +action   = iptables-allports[name=SBBS-smtp, protocol=all]
 +logpath  = /var/log/sbbs.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +[sbbs-spam]
 +enabled  = true
 +filter   = sbbs-spam
 +action   = iptables-allports[name=SBBS-spam, protocol=all]
 +logpath  = /sbbs/data/spam.log
 +maxretry = 3
 +findtime = 21600
 +bantime = 21600
 +
 +
 </code> </code>
  
 Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf
 <code> <code>
-[INCLUDES]                                                                                                                                                               +[INCLUDES] 
-before = common.conf                                                                                                                                                    +before = common.conf
  
-[Definition]                                                                                                                                                             +[Definition] 
-failregex = Bad password from: <HOST>                                                                                                                                    +failregex = Bad password from: <HOST> 
-            Throttling suspicious connection from: <HOST>                                                                                                                +            Throttling suspicious connection from: <HOST> 
-ignoreregex =  +ignoreregex = 
 +</code> 
 + 
 +Filter for ddos (/etc/fail2ban/filter.d/sbbs-ddos.conf) 
 +<code> 
 +[INCLUDES] 
 +before = common.conf 
 + 
 +[Definition] 
 +failregex = !Maximum concurrent connections without login (.*) reached from host: <HOST> 
 +ignoreregex = 
 +</code> 
 + 
 +Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf) 
 +<code> 
 +[INCLUDES] 
 +before = common.conf 
 +[Init] 
 +maxlines=6 
 +[Definition] 
 +failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n 
 +ignoreregex = 
 +</code> 
 + 
 +Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf) 
 +<code> 
 +[INCLUDES] 
 +before = common.conf 
 +[Definition] 
 +failregex = .* !TEMPORARY BAN of .* <HOST> .* 
 +            SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\] 
 +            ^.*\[<HOST>\].*\!TEMPORARY BAN.*$ 
 +ignoreregex = 
 +</code> 
 + 
 +Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf) 
 +<code> 
 +[INCLUDES] 
 +before = common.conf 
 +[Definition] 
 +failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\] 
 +            Host\: .* \[<HOST>\] 
 +ignoreregex =
 </code> </code>
  
 Reload or restart the service and verify if you jail is loaded: Reload or restart the service and verify if you jail is loaded:
 <code> <code>
 +
 # fail2ban-client status # fail2ban-client status
 Status Status
-|- Number of jail:      +|- Number of jail: 7 
-`- Jail list:           ssh, asterisk-udp, *sbbs-main*, nginx-http-authssh-ddos, asterisk-tcp+`- Jail list: asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main*sbbs-smtp*sbbs-spam*sbbs-ddos, sshd
  
 </code> </code>
 +(*) your sbbs active jail's
  
 After some time, you can observe via iptables that severals ip address was blocked After some time, you can observe via iptables that severals ip address was blocked
Line 70: Line 155:
 RETURN     all  --  0.0.0.0/           0.0.0.0/           RETURN     all  --  0.0.0.0/           0.0.0.0/          
  
 +Chain fail2ban-SBBS-ddos (1 references)
 +target     prot opt source               destination
 +REJECT     all  --  110.53.221.190       0.0.0.0/           reject-with icmp-port-unreachable
 +RETURN     all  --  0.0.0.0/           0.0.0.0/0
 </code> </code>
- 
 ===== See Also ===== ===== See Also =====
   * [[:howto:|howto index]]   * [[:howto:|howto index]]
  
-{{tag>}}+{{tag>linux}}
  
howto/fail2ban.1505847733.txt · Last modified: 2017/09/19 12:02 by ragnarok
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0