Skip to main content

How To Install Fail2Ban on CentOS 7 / Debian 11

 What is Fail2Ban?

Fail2Ban is a log-parsing application that protects Linux virtual server host against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks. It works by monitoring system logs for any malicious activity and scanning files for any entries matching identified patterns.




How To Install Fail2Ban on CentOS 7 / Debian 11

####For CentOS 7 


yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm


yum install fail2ban


#####



##For Debian 11


apt-get update

apt-get -y install fail2ban


cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local_bkp


nano /etc/fail2ban/jail.local

##Copy paste##


####Copy from here#####


[DEFAULT]

# Ban hosts for one hour:

bantime = -1

ignoreip = 192.168.1.201 127.0.0.0/8

# Override /etc/fail2ban/jail.d/00-firewalld.conf:

#banaction = iptables-multiport


[sshd]

enabled  = true

action   = iptables-allports[name=sshd, protocol=all] sendmail-whois[name=Fail2ban-SSH-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]

port = 22

maxretry = 5

findtime = 7200

bantime  = 86400


[sshd-ddos]

enabled = true

maxretry = 3

port = 22

bantime = 10000000

action   = iptables-multiport[name=ssh-ddos, port="22", protocol=tcp] sendmail-whois[name=Fail2ban-SSH-DDOS-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[asterisk]

enabled = true

port = 5060

action   = iptables-multiport[name=asterisk, port=5060, protocol=tcp,udp] sendmail-whois[name=Fail2ban-Asterisk-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-nohome]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-nohome, port="443"]

sendmail-whois[name=Fail2ban-apache-nohome-192.168.1.201,sender=192.168.1.201,dest="manish.23k@gmail.com"]


[apache-overflows]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-overflows, port="443"]

sendmail-whois[name=Fail2ban-apache-overflows-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-noscript]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-noscript, port="443"]

sendmail-whois[name=Fail2ban-apache-noscript-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-modsecurity]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-modsecurity, port="443"]

sendmail-whois[name=Fail2ban-apache-modsecurity-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-fakegooglebot]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-fakegooglebot, port="443"]

sendmail-whois[name=Fail2ban-apache-fakegooglebot-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-botsearch]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-botsearch, port="443"]

sendmail-whois[name=Fail2ban-apache-botsearch-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-badbots]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-badbots, port="443"]

sendmail-whois[name=Fail2ban-apache-badbots-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-auth]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-auth, port="443"]

sendmail-whois[name=Fail2ban-apache-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[php-url-fopen]

enabled = true

logpath  = /var/log/apache2/access.log

port     = 443

action   = iptables-multiport[name=php-url-fopen, port="443"]

sendmail-whois[name=Fail2ban-php-url-fopen-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[mysqld-auth]

enabled = true

port     = 3306

logpath  = /var/log/syslog

action   = iptables-multiport[name=mysqld-auth, port="3306"]

sendmail-whois[name=Fail2ban-mysqld-auth-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


[apache-shellshock]

enabled = true

port     = 443

action   = iptables-multiport[name=apache-shellshock, port="443"]

sendmail-whois[name=Fail2ban-apache-shellshock-192.168.1.201,sender=192.168.1.201 ,dest="manish.23k@gmail.com"]


######EOF##########


#iptables-multiport setup


nano /etc/fail2ban/action.d/iptables-multiport.conf


### Copy here#####


# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Modified by Yaroslav Halchenko for multiport banning

#


[INCLUDES]


before = iptables-common.conf


[Definition]


# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = <iptables> -N f2b-<name>

              <iptables> -A f2b-<name> -j <returntype>

              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>


# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

             <iptables> -F f2b-<name>

             <iptables> -X f2b-<name>


# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'


# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>


# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

    

[Init]



##### EOF ######


#Logrotaion configuration


sed -i -e 's/weekly/size 30M/g' /etc/logrotate.d/fail2ban


#Enable service on startup


systemctl restart fail2ban

systemctl enable fail2ban


##################################################################################

For Asterisk 18+ Version

il trying to configure fail2ban-iptables to secure my server asterisk 16.6.1
this is my jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail = rouroubella345@gmail.com
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = all
chain = INPUT
# action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
          
          
# action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
          
action = iptables-allports[name=ASTERISK, protocol=all]

[asterisk-iptables]
enabled     = true
port        = 5060, 5061
filter      = asterisk
logpath     = /var/log/asterisk/messages
maxretry    = 3

for filters i used /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

journalmatch = _SYSTEMD_UNIT=asterisk.service


[lt_journal]

# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

the action that my asterisk service invokes is called iptables-multiport this is the associated file :

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]
name = default
port = 5060, 5061
protocol = all
chain = INPUT

After making changes restart Fail2Ban to take effect.

[For SysVinit Systems]
# service fail2ban restart

[For systemd Systems]
# systemctl restart fail2ban.service
sudo fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	asterisk-iptables, sshd


Comments

Post a Comment

Popular posts from this blog

Vicidial Scratch installation Alma -9

Step 1 – Download the dependencies   hostnamectl set-hostname xxxxxx.xxxxx.xxx ### Use YOUR SubDomain vi /etc/hosts ##Change domain name for actual server ip (xxx.xxx.xxx.xxx   complete domain name    subdomain only) timedatectl set-timezone Asia/Kolkata yum check-update yum update -y yum -y install epel-release yum update -y yum install git -y yum install -y kernel* sudo dnf install kernel-devel-$(uname -r) -y #Disable SELINUX sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config     reboot Step 2 – Run the Script cd /usr/src/ git clone https://github.com/manish23k/vicidial-install-scripts cd vicidial-install-scripts chmod +x alma-rocky9-ast16.sh ./alma-rocky9-ast16.sh Or the Asterisk 18 version: chmod +x alma-rocky9-ast18.sh ./alma-rocky9-ast18.sh ####For PHP 8 use this script. chmod +x main-installer-php8.sh ./main-installer-php8.sh
Post a Comment
Read more

Vicidial Scratch installation Debian 11 with Asterisk 16, WebRTC and Dynamic Portal

  Vicidial Scratch installation Debian 11  Asterisk 16, WebRTC and Dynamic Portal apt update apt upgrade apt-get install git nano wget cd /usr/src/ git clone https://github.com/manish23k/Vici_Install_Scripts_Deb_11.git cd Vici_Install_Scripts_Deb_11/ chmod +x *.sh Run ./vici_install_deb_ast16.sh Install WebRTC ./vicidial-install-webrtc.sh Once Done with Configuration Secure Server with Vici Dynamic Portal Run ./vici_dynportal.sh
Post a Comment
Read more

How to delete old call logs and other logs in vicidial or goautodial.

Step 1 : SSH to the server using the Putty Step 2:   login to mysql by typing   mysql -p                    (if you dont know password try below command )               mysql -ucron -p1234 Step 3 : select the asterisk database by typing               use asterisk step 4: Run the below command to check total disk occupied by asterisk database                SELECT table_schema AS "asterisk", ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema; Step 5 : Run the below command to check disk space consumed by each table in asterisk database SELECT table_name AS "Table", ROUND(((data_length + index_length) / 1024 / 1024), 2) AS "Size (MB)" FROM information_schema.TABLES WHERE table_schema = "asterisk" ORDER BY (data_length + inde...
Post a Comment
Read more