Article

(View Disclaimer)

Problem:

Some nasty people out in the open internet find it amusing to try and hack your ssh/www/ftp service. You have chosen a secure login and password, but your logfile is getting crammed and you don't like that.

Solution:

There is a small python script named fail2ban. It keeps an eye on the specified logfile and logs failed login attempts. After a specified amount of failed attempts it uses iptables to ban the ip for a specified amount of time or runs a user defined command.

Example:

Christian Rauch offers rpm packages on his ftp server: I used version 0.8.0 which is available since 2007-05-03.

wget ftp://ftp.rauchs-home.de/suse/10.2/noarch/fail2ban...
rpm -i fail2ban-0.8.0-0.rauch.3.SuSE1020.noarch.rpm

You'll find the additional download links on the official project page:
http://www.fail2ban.org/wiki/index.php/Main_Page

After installation, edit the two main config files with your favorite editor.

In the fail2ban.conf you'll find the logging configuration.

vi /etc/fail2ban/fail2ban.conf

In the jail.conf you'll find the definitions of the services you want to monitor. The file is commented very well, so there should be no problem finding the options you need.

Look especially at the options in the top of the file under [DEFAULT].

The "findtime", the length of time fail2ban remembers a login attempt, is with 10 minutes a bit long for my taste. So I change it to 1 minute:

findtime = 60

I want to monitor vsftpd, but I don't want to be informed when somebody has been banned. This happens far to often. So this is what my entry looks like:

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800 

Now I start fail2ban:

/etc/init.d/fail2ban start

Fail2ban now monitors the logfile from vsftpd. If someone tries to log in and fails 5 times in a row inside a 1 minute timeframe his (or her) ip address gets banned for 1800 seconds (30 minutes). That should be enough to discourage any bot.

You can monitor changes or debug you configuration by increasing the log level in the fail2ban.conf and listing the fail2ban logfile:

less +F /var/log/fail2ban.log

Happy banning!

Environment:

You need to have python 2.4 and iptables installed and should use syslog-ng as system logger.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.