Skip to main content

How To Install Fail2Ban on CentOS 7 / Debian 11

 What is Fail2Ban?

Fail2Ban is a log-parsing application that protects Linux virtual server host against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks. It works by monitoring system logs for any malicious activity and scanning files for any entries matching identified patterns.




How To Install Fail2Ban on CentOS 7 / Debian 11

####For CentOS 7 


yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm


yum install fail2ban


#####



##For Debian 11


apt-get update

apt-get -y install fail2ban


cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local_bkp


nano /etc/fail2ban/jail.local

##Copy paste##


####Copy from here#####


[DEFAULT]

# Ban hosts for one hour:

bantime = -1

ignoreip = 192.168.1.201 127.0.0.0/8

# Override /etc/fail2ban/jail.d/00-firewalld.conf:

#banaction = iptables-multiport


[sshd]

enabled  = true

action   = iptables-allports[name=sshd, protocol=all] sendmail-whois[name=Fail2ban-SSH-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]

port = 22

maxretry = 5

findtime = 7200

bantime  = 86400


[sshd-ddos]

enabled = true

maxretry = 3

port = 22

bantime = 10000000

action   = iptables-multiport[name=ssh-ddos, port="22", protocol=tcp] sendmail-whois[name=Fail2ban-SSH-DDOS-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[asterisk]

enabled = true

port = 5060

action   = iptables-multiport[name=asterisk, port=5060, protocol=tcp,udp] sendmail-whois[name=Fail2ban-Asterisk-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-nohome]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-nohome, port="443"]

sendmail-whois[name=Fail2ban-apache-nohome-192.168.1.201,sender=192.168.1.201,dest="manish.23k@gmail.com"]


[apache-overflows]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-overflows, port="443"]

sendmail-whois[name=Fail2ban-apache-overflows-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-noscript]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-noscript, port="443"]

sendmail-whois[name=Fail2ban-apache-noscript-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-modsecurity]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-modsecurity, port="443"]

sendmail-whois[name=Fail2ban-apache-modsecurity-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-fakegooglebot]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-fakegooglebot, port="443"]

sendmail-whois[name=Fail2ban-apache-fakegooglebot-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-botsearch]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-botsearch, port="443"]

sendmail-whois[name=Fail2ban-apache-botsearch-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-badbots]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-badbots, port="443"]

sendmail-whois[name=Fail2ban-apache-badbots-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-auth]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-auth, port="443"]

sendmail-whois[name=Fail2ban-apache-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[php-url-fopen]

enabled = true

logpath  = /var/log/apache2/access.log

port     = 443

action   = iptables-multiport[name=php-url-fopen, port="443"]

sendmail-whois[name=Fail2ban-php-url-fopen-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[mysqld-auth]

enabled = true

port     = 3306

logpath  = /var/log/syslog

action   = iptables-multiport[name=mysqld-auth, port="3306"]

sendmail-whois[name=Fail2ban-mysqld-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-shellshock]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-shellshock, port="443"]

sendmail-whois[name=Fail2ban-apache-shellshock-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


######EOF##########


#iptables-multiport setup


nano /etc/fail2ban/action.d/iptables-multiport.conf


### Copy here#####


# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Modified by Yaroslav Halchenko for multiport banning

#


[INCLUDES]


before = iptables-common.conf


[Definition]


# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = <iptables> -N f2b-<name>

              <iptables> -A f2b-<name> -j <returntype>

              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>


# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

             <iptables> -F f2b-<name>

             <iptables> -X f2b-<name>


# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'


# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>


# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

    

[Init]



##### EOF ######


#Logrotaion configuration


sed -i -e 's/weekly/size 30M/g' /etc/logrotate.d/fail2ban


#Enable service on startup


systemctl restart fail2ban

systemctl enable fail2ban


##################################################################################

For Asterisk 18+ Version

il trying to configure fail2ban-iptables to secure my server asterisk 16.6.1
this is my jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail = rouroubella345@gmail.com
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = all
chain = INPUT
# action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
          
          
# action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
          
action = iptables-allports[name=ASTERISK, protocol=all]

[asterisk-iptables]
enabled     = true
port        = 5060, 5061
filter      = asterisk
logpath     = /var/log/asterisk/messages
maxretry    = 3

for filters i used /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

journalmatch = _SYSTEMD_UNIT=asterisk.service


[lt_journal]

# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

the action that my asterisk service invokes is called iptables-multiport this is the associated file :

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]
name = default
port = 5060, 5061
protocol = all
chain = INPUT

After making changes restart Fail2Ban to take effect.

[For SysVinit Systems]
# service fail2ban restart

[For systemd Systems]
# systemctl restart fail2ban.service
sudo fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	asterisk-iptables, sshd


Comments

Post a Comment

Popular posts from this blog

Vicidial Scratch installation Debian 11 with Asterisk 16, WebRTC and Dynamic Portal

  Vicidial Scratch installation Debian 11  Asterisk 16, WebRTC and Dynamic Portal apt update apt upgrade apt-get install git nano wget cd /usr/src/ git clone https://github.com/manish23k/Vici_Install_Scripts_Deb_11.git cd Vici_Install_Scripts_Deb_11/ chmod +x *.sh Run ./vici_install_deb_ast16.sh Install WebRTC ./vicidial-install-webrtc.sh Once Done with Configuration Secure Server with Vici Dynamic Portal Run ./vici_dynportal.sh
Post a Comment
Read more

Vicidial Scratch installation Alma -9

Step 1 – Download the dependencies   hostnamectl set-hostname xxxxxx.xxxxx.xxx ### Use YOUR SubDomain vi /etc/hosts ##Change domain name for actual server ip (xxx.xxx.xxx.xxx   complete domain name    subdomain only) timedatectl set-timezone Asia/Kolkata yum check-update yum update -y yum -y install epel-release yum update -y yum install git -y yum install -y kernel* #Disable SELINUX sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config     reboot Step 2 – Run the Script cd /usr/src/ git clone https://github.com/manish23k/vicidial-install-scripts cd vicidial-install-scripts chmod +x alma-rocky9-ast16.sh ./alma-rocky9-ast16.sh Or the Asterisk 18 version: chmod +x alma-rocky9-ast18.sh ./alma-rocky9-ast18.sh
Post a Comment
Read more

Debian 11 Vicidial scratch install dynamic portal

  Step by step guide to scratch install the vidial dynamic portal in Debian 11 or ubuntu based vicidial scratch installations. If you have installed vicidial using scratch installation instead of using the default vicibox iso then you need to manually install and configure the dynamic portal , follow this blog tutorial to scratch install the vicidial dynamic portal . Here's the steps to install and configure the vicidial dynamic portal in scratch installations. Steps to install vicidial dynamic portal cd /usr/src git clone https://github.com/manish23k/vicidial-dynamicportal.git cd vicidial-dynamicportal chmod +x vici_dynportal.sh ./vici_dynportal.sh or you can install manually. Follow the below steps to install and configure the vicidial dynamic portal in your scratch installations, Step 1: Install the firewalld and ipset apt install firewalld apt  install ipset Step 2: Download the Dynamic portal files from my Github cd /usr/src/ mkdir dynamicportal cd dynamicportal wg...
Post a Comment
Read more