Fail2Ban on ISPConfig 2.x

Discussion in 'Installation/Configuration' started by iceget, Sep 7, 2009.

  1. iceget

    iceget Member

    hello community,

    i had one question.

    my ftp account on my ISPCONFIG 2.X Server was hacked.

    the hacker group have tried the attacks in a period of 3 months,
    and they have finished the hack. my ftp password was hacked.

    i have changed this password, and my question are:

    can fail2ban help me in this situations?

    it running vsftpd on my server!

    yes? how i can install and configure it?


    thank you very much

    kind regards
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Yes. :)

    I've written a few fail2ban tutorials. You can use the "Search" function to find them.
     
  3. iceget

    iceget Member

    Re

    Hello!

    I have searched fail2bain but i can't find any thread opened with your name "falco".

    can you send me the link for the tut?

    thank you very much!
     
  4. _X_

    _X_ New Member

  5. iceget

    iceget Member

    Re

    hello!

    icannot find the tutorial for

    debian 4.0 with roundcube and ISPConfig-2.2.33...

    What for a tutorial i can use?

    can you help me?

    thank you very much!
     
  6. _X_

    _X_ New Member

    as far as I can see you can use this:

    http://www.howtoforge.com/fail2ban_debian_etch

    actually after installation you have to copy

    /etc/fail2ban/jail.conf

    as

    /etc/fail2ban/jail.local

    Code:
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    and uncomment lines for services you want fail2ban to watch for in /etc/fail2ban/jail.local

    after that

    Code:
     /etc/init.d/fail2ban restart 
    maybe adjustment to some failregex will be needed

    failregex is actualy syntax of error in appropriate log file so modifying it to specific needs shouldn't be a problem.
     
    Last edited: Sep 9, 2009
  7. iceget

    iceget Member

    Re

    Hello!!

    Thank you for your help!

    I have installed fail2ban with:

    apt-get update && apt-get install fail2ban

    now i have made a copy of the original configuration file:
    cp /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.local

    now my config file are:

    /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local:
    [DEFAULT]

    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    bantime = 600
    maxretry = 3

    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    # This issue left ToDo, so polling is default backend for now
    backend = polling

    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]

    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]


    [ssh]

    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 5


    [apache]

    enabled = true
    port = http
    filter = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5


    [apache-noscript]

    enabled = false
    port = http
    filter = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5


    [vsftpd]

    enabled = false
    port = ftp
    filter = vsftpd
    logpath = /var/log/auth.log
    maxretry = 5


    [proftpd]

    enabled = true
    port = ftp
    filter = proftpd
    logpath = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5


    [wuftpd]

    enabled = false
    port = ftp
    filter = wuftpd
    logpath = /var/log/auth.log
    maxretry = 5


    [postfix]

    enabled = false
    port = smtp
    filter = postfix
    logpath = /var/log/mail.log
    maxretry = 5


    [courierpop3]

    enabled = true
    port = pop3
    filter = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5


    [courierimap]

    enabled = true
    port = imap2
    filter = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5


    [sasl]

    enabled = true
    port = smtp
    filter = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath = /var/log/mail.log
    maxretry = 5


    now i have restarted fail2ban with
    /etc/init.d/fail2ban restart

    and i have tried with ftp and .htaccess user auth, to lock my ip.

    i have tried 10 times with user auth on .htaccess and 10 times with vsftpd, but fail2ban doesnt lock my ip.


    must i configure other files??

    here are all what i have done.


    can you help me?

    what you mean with regex?

    thanks!

    kind regards
     
  8. _X_

    _X_ New Member

    as example:

    you have in your jail.local
    Code:
    [proftpd]
    
    enabled = true
    port = ftp
    filter = proftpd
    logpath = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    this means that fail2ban looks into
    /var/log/auth.log
    for something that begins with
    proftpd: pam_unix *something* authentication failure; *something* rhost=<*IP*>
    if it found this 5 times it will block *IP* from that line in log file.

    if proftpd creates failed authentication logs in /var/log/auth.log that looks like failregex line then it will block that IP.

    here is example from my log:
    Code:
    Sep  6 19:57:15 my_domain proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=backup rhost=::ffff:79.15.63.24  user=backup
    
    and fail2ban response in /var/log/fail2ban.log

    Code:
    2009-09-06 19:58:03,248 fail2ban.actions: WARNING [proftpd] Ban 79.15.63.24
    
     
    Last edited: Sep 11, 2009
  9. iceget

    iceget Member

    Re

    Thank you very much!

    it works fine!

    kind regards

    iceget
     

Share This Page