Apr 112014

up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.

As i use a 3rd party repostories – EPEL i can just use yum to install it

yum install fail2ban

once installed i just needed to change the configuration to my liking, the config files can be found at “/etc/fail2ban”

first i edit “/etc/fail2ban/fail2ban.conf” and ensure the “logtarget” is set correctly

logtarget = /var/log/fail2ban.log

The default behaviour of fail2ban is configured in the file “/etc/fail2ban/jail.conf”. There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.

I explain some of the configuration here:

ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in “/etc/fail2ban/filter.d”.
logpath: The log file that fail2ban checks for failed login attempts.

so i edit “/etc/fail2ban/jail.conf” and add my ip to “ignoreip”.
then i just need to configure the jails i want to use, here’s my ssh jail

enabled  = true
filter   = sshd
action   = iptables-multiport[name=SSH, port="ssh, 4564"]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@server.com]
logpath  = /var/log/secure
maxretry = 3

Don’t forget to change the port to what ever port your ssh runs on and also set the “sender” and “dest” to your email.

I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.

start fail2ban

/etc/init.d/fail2ban start

now check “/var/log/fail2ban.log” and make sure there’s no errors.
you can also check the rules are in iptables

iptables -L 

now as i said i use a couple of custom filters here’s how i did them.
Create the filter file “/etc/fail2ban/filter.d/dovecot-pop3imap.conf” and add

failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.*
ignoreregex =

note: the failregex may need changing to suit your system.

now add the following to “/etc/fail2ban/jail.conf”

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
    sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@server.com]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

then just restart fail2ban

/etc/init.d/fail2ban restart

you can create all sorts of custom jails/filters just google for other ideas.