Skip to main content

How To Install Fail2Ban on CentOS 7 / Debian 11

 What is Fail2Ban?

Fail2Ban is a log-parsing application that protects Linux virtual server host against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks. It works by monitoring system logs for any malicious activity and scanning files for any entries matching identified patterns.




How To Install Fail2Ban on CentOS 7 / Debian 11

####For CentOS 7 


yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm


yum install fail2ban


#####



##For Debian 11


apt-get update

apt-get -y install fail2ban


cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local_bkp


nano /etc/fail2ban/jail.local

##Copy paste##


####Copy from here#####


[DEFAULT]

# Ban hosts for one hour:

bantime = -1

ignoreip = 192.168.1.201 127.0.0.0/8

# Override /etc/fail2ban/jail.d/00-firewalld.conf:

#banaction = iptables-multiport


[sshd]

enabled  = true

action   = iptables-allports[name=sshd, protocol=all] sendmail-whois[name=Fail2ban-SSH-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]

port = 22

maxretry = 5

findtime = 7200

bantime  = 86400


[sshd-ddos]

enabled = true

maxretry = 3

port = 22

bantime = 10000000

action   = iptables-multiport[name=ssh-ddos, port="22", protocol=tcp] sendmail-whois[name=Fail2ban-SSH-DDOS-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[asterisk]

enabled = true

port = 5060

action   = iptables-multiport[name=asterisk, port=5060, protocol=tcp,udp] sendmail-whois[name=Fail2ban-Asterisk-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-nohome]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-nohome, port="443"]

sendmail-whois[name=Fail2ban-apache-nohome-192.168.1.201,sender=192.168.1.201,dest="manish.23k@gmail.com"]


[apache-overflows]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-overflows, port="443"]

sendmail-whois[name=Fail2ban-apache-overflows-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-noscript]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-noscript, port="443"]

sendmail-whois[name=Fail2ban-apache-noscript-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-modsecurity]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-modsecurity, port="443"]

sendmail-whois[name=Fail2ban-apache-modsecurity-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-fakegooglebot]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-fakegooglebot, port="443"]

sendmail-whois[name=Fail2ban-apache-fakegooglebot-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-botsearch]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-botsearch, port="443"]

sendmail-whois[name=Fail2ban-apache-botsearch-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-badbots]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-badbots, port="443"]

sendmail-whois[name=Fail2ban-apache-badbots-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-auth]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-auth, port="443"]

sendmail-whois[name=Fail2ban-apache-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[php-url-fopen]

enabled = true

logpath  = /var/log/apache2/access.log

port     = 443

action   = iptables-multiport[name=php-url-fopen, port="443"]

sendmail-whois[name=Fail2ban-php-url-fopen-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[mysqld-auth]

enabled = true

port     = 3306

logpath  = /var/log/syslog

action   = iptables-multiport[name=mysqld-auth, port="3306"]

sendmail-whois[name=Fail2ban-mysqld-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-shellshock]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-shellshock, port="443"]

sendmail-whois[name=Fail2ban-apache-shellshock-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


######EOF##########


#iptables-multiport setup


nano /etc/fail2ban/action.d/iptables-multiport.conf


### Copy here#####


# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Modified by Yaroslav Halchenko for multiport banning

#


[INCLUDES]


before = iptables-common.conf


[Definition]


# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = <iptables> -N f2b-<name>

              <iptables> -A f2b-<name> -j <returntype>

              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>


# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

             <iptables> -F f2b-<name>

             <iptables> -X f2b-<name>


# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'


# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>


# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

    

[Init]



##### EOF ######


#Logrotaion configuration


sed -i -e 's/weekly/size 30M/g' /etc/logrotate.d/fail2ban


#Enable service on startup


systemctl restart fail2ban

systemctl enable fail2ban


##################################################################################

For Asterisk 18+ Version

il trying to configure fail2ban-iptables to secure my server asterisk 16.6.1
this is my jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail = rouroubella345@gmail.com
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = all
chain = INPUT
# action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
          
          
# action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
          
action = iptables-allports[name=ASTERISK, protocol=all]

[asterisk-iptables]
enabled     = true
port        = 5060, 5061
filter      = asterisk
logpath     = /var/log/asterisk/messages
maxretry    = 3

for filters i used /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

journalmatch = _SYSTEMD_UNIT=asterisk.service


[lt_journal]

# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

the action that my asterisk service invokes is called iptables-multiport this is the associated file :

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]
name = default
port = 5060, 5061
protocol = all
chain = INPUT

After making changes restart Fail2Ban to take effect.

[For SysVinit Systems]
# service fail2ban restart

[For systemd Systems]
# systemctl restart fail2ban.service

sudo fail2ban-client status

Status
|- Number of jail:	2
`- Jail list:	asterisk-iptables, sshd


Comments

Popular posts from this blog

Vicidial Scratch installation Alma -9

Step 1 – Download the dependencies   hostnamectl set-hostname xxxxxx.xxxxx.xxx ### Use YOUR SubDomain vi /etc/hosts ##Change domain name for actual server ip (xxx.xxx.xxx.xxx   complete domain name    subdomain only) timedatectl set-timezone Asia/Kolkata yum check-update yum update -y yum -y install epel-release yum update -y yum install git -y yum install -y kernel* sudo dnf install kernel-devel-$(uname -r) -y #Disable SELINUX sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config     reboot Step 2 – Run the Script cd /usr/src/ git clone https://github.com/manish23k/vicidial-install-scripts cd vicidial-install-scripts chmod +x alma-rocky9-ast16.sh ./alma-rocky9-ast16.sh Or the Asterisk 18 version: chmod +x alma-rocky9-ast18.sh ./alma-rocky9-ast18.sh ####For PHP 8 use this script. chmod +x main-installer-php8.sh ./main-installer-php8.sh

Vicidial Scratch installation Debian 11 with Asterisk 16, WebRTC and Dynamic Portal

  Vicidial Scratch installation Debian 11  Asterisk 16, WebRTC and Dynamic Portal apt update apt upgrade apt-get install git nano wget cd /usr/src/ git clone https://github.com/manish23k/Vici_Install_Scripts_Deb_11.git cd Vici_Install_Scripts_Deb_11/ chmod +x *.sh Run ./vici_install_deb_ast16.sh Install WebRTC ./vicidial-install-webrtc.sh Once Done with Configuration Secure Server with Vici Dynamic Portal Run ./vici_dynportal.sh

How to delete old call logs and other logs in vicidial or goautodial.

Step 1 : SSH to the server using the Putty Step 2:   login to mysql by typing   mysql -p                    (if you dont know password try below command )               mysql -ucron -p1234 Step 3 : select the asterisk database by typing               use asterisk step 4: Run the below command to check total disk occupied by asterisk database                SELECT table_schema AS "asterisk", ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema; Step 5 : Run the below command to check disk space consumed by each table in asterisk database SELECT table_name AS "Table", ROUND(((data_length + index_length) / 1024 / 1024), 2) AS "Size (MB)" FROM information_schema.TABLES WHERE table_schema = "asterisk" ORDER BY (data_length + inde...