Fail2Ban is a small script written in python that is responsible for observing the logs looking for “patterns” suspects, and is able to take steps to block attackers either iptables or launching a command of your choice.
To install on CentOS , you can install the repository EPEL the following steps:
- rpm-Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
After installing the repository, install fail2ban :
- yum-y install fail2ban
The fail2ban configuration directory is / ec/fail2ban / there we will find two directories: action.dy filter.d.
In action.d, find fail2ban actions performed when any of our filters “hunt” some IP doing evil. These actions pass filtering with iptables, sending warning mails etc. while in filter.d, we have all the filters we use as a “trap” to catch our attackers.
In our case, we will configure fail2ban on a web server, which lately has been detected a high number of injection attack attempts, both SQL and XSS, and at least pretend block access we observed in the logs.
For that you have to edit the file jail.conf directory / etc/fail2ban / in this file have all the traps or “jails” and their corresponding actions, accompanied by some default parameters, input, it is recommended that we add in the line “ignoreip” our local ip, or to any server you can connect in case we mistakenly we block ourselves.
- ignoreip = 127.0.0.1 <nuestra ip>
Once done, we reviewed all the entries in this file, the first entry found is the ssh, this “jail” in our case is as follows:
1. [ssh -iptables]
2. enabled = true
3. filter = sshd
4. action = iptables [name = SSH, port = ssh , protocol = tcp]
5. sendmail-whois [name = SSH, dest = root, sender = [email protected]]
6. logpath = / var / log / secure
7. maxretry = 5
We ordered the following fields:
- If enabled
- The action to be executed (one per line), in this case we filter with the “action” iptables ssh port and sent a mail with the sendmail-whois action [email protected]
- We indicate the log file that will read the filter / var / log / secure is where SSH logs on.
- And we indicate the number of attempts to execute the action (in this case 5)
What is important here is to change the lines logpath, because our server is a plesk logs path is ” / var / www / vhosts / * / statistics / logs / access_log “or” / var / www / vhosts / * / statistics / logs / error_log “the rest are changes that are mail to send the mails, and the names of the filters to be applied, we apply these:
Blocks with the / etc / hosts.deny hosts that try to connect to password protected domains (these authentication failures appear in the error_log)
Blocked by iptables hosts that are connected using a “User Agent” suspect, and send us an email to let us know.
We block hosts that try an injection of code like: GET / index.php? N = http://www.dominio.com/fichero.htm
Block the hosts that access suspicious urls, doing a SCAN or directly accessing urls trying to inject from php system calls (system, passthru) this rule fills in the expressions that we find in the logs at the end of the post, attach the filter content in our case.