Fail2Ban on ISPConfig 2.x

[iceget]

hello community,

i had one question.

my ftp account on my ISPCONFIG 2.X Server was hacked.

the hacker group have tried the attacks in a period of 3 months,
and they have finished the hack. my ftp password was hacked.

i have changed this password, and my question are:

can fail2ban help me in this situations?

it running vsftpd on my server!

yes? how i can install and configure it?


thank you very much

kind regards

[falko]

Quote:

Originally Posted by iceget

can fail2ban help me in this situations?

Yes.

Quote:

Originally Posted by iceget

yes? how i can install and configure it?

I've written a few fail2ban tutorials. You can use the "Search" function to find them.

[iceget]

Hello!

I have searched fail2bain but i can't find any thread opened with your name "falco".

can you send me the link for the tut?

thank you very much!

[_X_]

here:

http://www.howtoforge.com/trip_search?keys=fail2ban

just find your distribution ...

[iceget]

hello!

icannot find the tutorial for

debian 4.0 with roundcube and ISPConfig-2.2.33...

What for a tutorial i can use?

can you help me?

thank you very much!

[_X_]

as far as I can see you can use this:

http://www.howtoforge.com/fail2ban_debian_etch

actually after installation you have to copy

/etc/fail2ban/jail.conf

as

/etc/fail2ban/jail.local

Code:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and uncomment lines for services you want fail2ban to watch for in /etc/fail2ban/jail.local

after that

Code:

 /etc/init.d/fail2ban restart

maybe adjustment to some failregex will be needed

failregex is actualy syntax of error in appropriate log file so modifying it to specific needs shouldn't be a problem.

[iceget]

Hello!!

Thank you for your help!

I have installed fail2ban with:

apt-get update && apt-get install fail2ban

now i have made a copy of the original configuration file:
cp /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.local

now my config file are:

/etc/fail2ban/jail.conf and /etc/fail2ban/jail.local:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5


[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 5


[postfix]

enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[courierimap]

enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[sasl]

enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
maxretry = 5


now i have restarted fail2ban with
/etc/init.d/fail2ban restart

and i have tried with ftp and .htaccess user auth, to lock my ip.

i have tried 10 times with user auth on .htaccess and 10 times with vsftpd, but fail2ban doesnt lock my ip.


must i configure other files??

here are all what i have done.


can you help me?

what you mean with regex?

thanks!

kind regards

[_X_]

as example:

you have in your jail.local

Code:

[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5

this means that fail2ban looks into
/var/log/auth.log
for something that begins with
proftpd: pam_unix *something* authentication failure; *something* rhost=<*IP*>
if it found this 5 times it will block *IP* from that line in log file.

if proftpd creates failed authentication logs in /var/log/auth.log that looks like failregex line then it will block that IP.

here is example from my log:

Code:

Sep  6 19:57:15 my_domain proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=backup rhost=::ffff:79.15.63.24  user=backup

and fail2ban response in /var/log/fail2ban.log

Code:

2009-09-06 19:58:03,248 fail2ban.actions: WARNING [proftpd] Ban 79.15.63.24

[iceget]

Thank you very much!

it works fine!

kind regards

iceget