Aug 262014
 

I’ve been playing around and getting to know CentOS 7 and have decided i prefer iptables (over firewalld) which i have been using for the last few years so here’s how to swap firewalld for iptables.

Disable Firewalld Service.
systemctl disable firewalld
Stop Firewalld Service.
systemctl stop firewalld
Now we install the iptables services.
yum -y install iptables-services
Start iptables at boot.
systemctl enable iptables
Start ip6tables at boot. (skip if you don’t use ipv6)
systemctl enable ip6tables
Finally we start iptables.
systemctl start iptables
Finally we start ip6tables. (skip if you don’t use ipv6)
systemctl start ip6tables

Now our firewall uses iptables and we can add our rules like we always have.

Apr 112014
 

up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.

As i use a 3rd party repostories – EPEL i can just use yum to install it

yum install fail2ban

once installed i just needed to change the configuration to my liking, the config files can be found at “/etc/fail2ban”

first i edit “/etc/fail2ban/fail2ban.conf” and ensure the “logtarget” is set correctly

logtarget = /var/log/fail2ban.log

The default behaviour of fail2ban is configured in the file “/etc/fail2ban/jail.conf”. There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.

I explain some of the configuration here:

ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in “/etc/fail2ban/filter.d”.
logpath: The log file that fail2ban checks for failed login attempts.

so i edit “/etc/fail2ban/jail.conf” and add my ip to “ignoreip”.
then i just need to configure the jails i want to use, here’s my ssh jail

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables-multiport[name=SSH, port="ssh, 4564"]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@server.com]
logpath  = /var/log/secure
maxretry = 3

Don’t forget to change the port to what ever port your ssh runs on and also set the “sender” and “dest” to your email.

I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.

start fail2ban

/etc/init.d/fail2ban start

now check “/var/log/fail2ban.log” and make sure there’s no errors.
you can also check the rules are in iptables

iptables -L 

now as i said i use a couple of custom filters here’s how i did them.
Create the filter file “/etc/fail2ban/filter.d/dovecot-pop3imap.conf” and add

[Definition]
failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.*
ignoreregex =

note: the failregex may need changing to suit your system.

now add the following to “/etc/fail2ban/jail.conf”

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
    sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@server.com]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

then just restart fail2ban

/etc/init.d/fail2ban restart

you can create all sorts of custom jails/filters just google for other ideas.