Comments on Increase your IPv4 security with Fail2Ban and Tinyhoneypot on Debian Jessie

It is a five minutes' exercise to increase security on an IPv4 addressed machine. The purpose of the setup described in this tutorial is to lock out port scanners and malicious port openers for a period of time.

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: nagyorgy

Author's note:Sorry, I have found one mistake I made during the formating.The /etc/fail2ban/filter.d/thpot.local file should be look like this:[Definition]failregex = SRC=<HOST>

By: StoneKany

Hi nagyorgy. I'm currently using Ubuntu 14.04 and followed all steps from your guide. But when I use the command "service fail2ban restart" I'm having the following issue:

ERROR  Failed during configuration: File contains parsing errors: /etc/fail2ban/filter.d/thpot.local

[line  3]: '<HOST>\n'

 

Do you have a workaround for it?

By: zulli

I had to make a few minor configuration adjustments to get mine to work, please correct me if I am wrong - 

I changed to thpot.local to thpot.conf as a personal preference and here is what I had to use in order to not have fail2ban bark about the ignoreregex not being in the file

[Definition]

failregex = SRC=<HOST>

ignoreregex =

Fail2ban was complaining that the ignoreregex entry was absent in the thpot.conf file when I restarted it. I also had to create my /var/log/thpot/captures file manually with my text editor, fail2ban didn't see it so it was complaining about it when it was restarted.

By: nagyorgy

1,) You are right, that is the correct content of thpot.local!!I will ask site editors to correct my mistake. ( the Fail2Ban recommendation is to use .local files for your custom configurations )First, I made a mistake because <pre> <HOST> </pre> HOST was handled as a HTML tag.AND I accidentally forgot EOF in the file.The EOF came from ideal of creating the file and its content by a single CopyPaste command like this one:

See -> http://nagyorgy.web.elte.hu/thpt.local.png   

2,) The ignoreregex is a good point, thnx3,) The  /var/log/thpot/captures was created during the TinyHoneypot configuration, one section before Fail2BanI ask pardon from everybody about this inconvenience

 

 

By: MB.n

What is the really correct look like from /etc/fail2ban/filter.d/thpot.local? Ist it:

[Definition]

failregex = SRC=<HOST>

 

or

 

[Definition]

failregex = SRC=<HOST>

ignoreregex =

 

when i cat the log of fail2ban, its not create the thp-ssl jail but only warning is this:

2016-10-25 00:55:11,097 fail2ban.jail   [4339]: INFO    Jail 'ssh' started

2016-10-25 00:55:12,141 fail2ban.actions[4339]: WARNING [ssh] Ban 221.229.172.73

2016-10-25 01:02:27,637 fail2ban.server [4339]: INFO    Stopping all jails

2016-10-25 01:02:27,673 fail2ban.actions[4339]: WARNING [ssh] Unban 221.229.172.73

2016-10-25 01:02:27,687 fail2ban.jail   [4339]: INFO    Jail 'ssh' stopped

By: MB.n

i checked it for myself and the answer is:

[Definition]

failregex = SRC=<HOST>

 

ignoreregex =

 

Anybody know if thp and fail2ban can handle ipv6 now?

By: StoneKany

I'm having the following error: ERROR Failed during configuration: File contains parsing errors: /etc/fail2ban/filter.d/thpot.local

By: Brandon

Is it possible to use this with UFW?    I know UFW is a front-end for IPTABLES, but sometimes they can't work in conjunction.

By: Brandon

Just FYI, I set this up on a brand new server yesterday.   This server hasn't been linked to anything or used yet, I'm just configuring it initially.

And already, this solution has found and blocked approximately 20 IPs.   An excellent solution to find scanners and kill them.   This is likely one of the best security solutions to proactively stop potential hacking attempts.   Great job and thank you!!