Archive

Articles taggués ‘fail2ban’

System: fail2ban and iptables

23/04/2021 Comments off

source: http://www.the-art-of-web.com/system/fail2ban/

Around the beginning of 2005 we saw an increase in brute-force ssh attacks – people or robots trying different combinations of username and password to log into remote servers. A quick search on this topic returns many references to iptables and ipchains but noone really explained how they work.

Having just gone through this learning curve myself, and found a satisfactory solution in the fail2ban package, I’m going to try and explain how to achieve the simple goal of banning IP addresses that make repeated failed ssh login attempts.

If you want more technical information regarding firewalls and iptables in particular, see the References section at the bottom of this page. Lire la suite…

Use Fail2Ban to contact the IP provider’s of bruteforce attacks source

18/04/2021 Comments off

source: generationip.asia

Fail2ban is a very useful and powerful solution to limit the bruteforce on your server. but fail2ban doesn’t provide you a way to contact directly the IP provider’s of bruteforce attacks source. I have modify an fail2ban action file’s and create a script for that.

INSTALLATION

Go to the fail2ban action folders :

# cd /etc/fail2ban/action.d

Lire la suite…

Fail2ban, POSTFIX and SPAM

16/04/2021 Comments off

source: deribin.com

Very simple solution:
1) add rule to /etc/fail2ban/jail.conf:

[spam]
enabled = true
filter = spam
action = iptables[name=SPAM, port=smtp, protocol=tcp]
sendmail-whois[name=SPAM, dest=email@your.doamin.com, sender=fail2ban@your.domain.com]
logpath = /var/log/mail.log
bantime = 3600
ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx/xx
maxretry = 2

Lire la suite...

Postfix + fail2ban = win

02/04/2021 Comments off
source: http://blog.dp.cx/25/postfix-fail2ban-win

Recently, I had to lease a new server. My old one was ok, but it was 5 years old, and showing it’s age. The most recent bout of problems was due to postfix, and a specific domain that I host mail for.

I had previously set up Policyd in an attempt to stop the influx of spam before it ever hit the server, but it wasn’t doing anything at this point. So approximately 800 messages per minute were getting directly to Postfix, and then running queries against MySQL (I use virtual maps for users, aliases, domains, etc). 99% of these messages were to non-existant users, so Postfix would bounce them. But the little 2.0GHz Celeron couldn’t handle it. The load shot up to 8 for around 3 weeks, and stayed there. I wish the fail2ban idea had come to me sooner… Lire la suite…

Protéger votre serveur ssh contre les attaques brute-force

31/03/2021 Comments off

ssh est excellent pour accéder à distance à ses fichiers, ou même utiliser son ordinateur à distance.

Mais que faire contre les attaques de type brute-force ?
(Essai de toutes les combinaisons de lettre pour trouver le mot de passe).

C’est simple:

sudo aptitude install fail2ban

Et voilà !

Si quelqu’un fait 6 essais ratés de connexion sur le serveur ssh, son adresse IP sera bannie pendant 10 minutes.
C’est suffisant pour rendre inutile ce genre d’attaque.

Pour voir les actions du programme, faites:

sudo cat /var/log/fail2ban.log

Aller plus loin

En fait, fail2ban peut être configuré pour faire plein d’autres choses.
Dans le principe, il surveille les fichiers log de votre choix, et déclenche alors des actions.

Dans le cas de ssh, il surveille /var/log/auth.log et lance des commandes iptables pour bannir les adresses IP.

Regardez le fichier /etc/fail2ban/jail.conf
Il contient déjà les lignes pour bloquer les attaques sur les serveurs ftp (vsftpd, wuftpd, proftpd…), postfix, apache…
Vous pouvez les activer en remplaçant enabled = false par enabled = true.