What fail2ban jails should I activate?

13 posts / 0 new
Last post
#1 Sun, 10/18/2015 - 07:07
No Expert

What fail2ban jails should I activate?

Hi,

At the moment I only have the following jails enabled: ssh-iptables, dovecot, dovecot-auth,

The server (CentOS 6.7) hosts one basic website only.

I feel that I'm missing some other basic jails that should be activated, .e.g. the Apache ones. Could you please tell me what the other "minimum" jails I should have activated?

Thank you

Sun, 10/18/2015 - 07:39
Diabolico
Diabolico's picture

Well depends what you have on your server but you could add: postfix-sasl, postfix, proftpd, webmin-auth, sshd and use iptables to close all unused ports.

For apache i'm not sure if you need f2b but i would suggest mod_security, just to know it will increase memory and cpu usage. How much? Depends on current state of your server and website(s) and on the amount of rules you will use.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 10/18/2015 - 13:32
No Expert

Firstly, thanks for taking the time to reply. As you can probably tell, I'm still learning.

(1) postfix-sasl I did not manually configure SASL authentication and I don't think CentOS already enables it by default. I guess I would have to enable SASL auth before enabling this jail?

(2) postfix The postfix jail is looking for /var/log/postfix.log which does not exist. I presume I need to point it to /var/log/maillog instead?

(3) webmin-auth Similarly, the webmin-auth jail is looking for /var/log/auth.log. Do I need to point it to /var/log/secure instead?

(4) sshd I believe this is ssh-iptables and this is already activated.

(5) Others In terms of what is running, here's the output from netstat: clamd, dovecot, httpd, master, mysqld, named, perl, spamd.pid, sshd. Are there any other obvious jails I should be activating?

Thank you for your help.

Sun, 10/18/2015 - 20:03
Diabolico
Diabolico's picture
  1. Check main.cf and see if you have this line "smtpd_sasl_auth_enable = yes", if you have that means its active. You dont need to have active this service to activate jail.

  2. Few things got changed and repaired in newest releases of f2b but for now change it to "logpath = /var/log/maillog".

  3. Yes, "logpath = /var/log/secure" is the right answer.

  4. If i remember right yes its same thing. I always forget that i'm not using fail2ban from Virtualmin but i manually installed over epel repo. It could be that i'm wrong but on Centos 7 f2b from Vmin is behind several updates compared to what i have from epel.

  5. Aside of what i told you i dont see anything new you should add. In case of CMS like WP, Joomla, etc. you could add that to f2b but because of differences in versions you need to check on google for the right solution. Fail2ban got really big changes after version 0.9 and honestly i dont know what version comes with Vmin on Centos 6.

To check the version of your fail2ban use SSH and fail2ban-client -help . Near the top of the result it should say something like this: Fail2Ban v0.9.3 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/19/2015 - 08:49
BossHog

Howdy, just a heads-up, I posted about an issue with F2B and my CentOS 6.7 here:

http://www.virtualmin.com/node/37688

It has not been resolved(that I am aware of), it may be worth reviewing.

Joe

Mon, 10/19/2015 - 09:45
Diabolico
Diabolico's picture

@BossHog: Its not nice to ninja other people topics. You should update your topic and ask for help as posting in other people topics doesnt help you or original OP and creates confusion.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/19/2015 - 17:16 (Reply to #6)
BossHog

Howdy, the post IS pertaining to the OP. He has a CentOS 6.x server and a problem with F2B implementation. If you had taken the time to read the link, it was NOT a ninja(?). wtf does that even mean??? The 2 posts are inter-connected by the same/similar issue.

There is no confusion here.

Joe

Tue, 10/20/2015 - 09:49
andreychek

Yeah a few months back we talked about the process of enabling jails in BossHog's other post, it contains some good info on how to go about that. As I re-read it, I think we left some things unanswered though... sorry about that BossHog!

As far as which jails to use, it all comes down to personal preference, and what you want monitored.

If i remember right yes its same thing. I always forget that i'm not using fail2ban from Virtualmin but i manually installed over epel repo. It could be that i'm wrong but on Centos 7 f2b from Vmin is behind several updates compared to what i have from epel.

Nuts! We just grabbed the version from EPEL, but it looks like they've updated theirs.

I'll ask Joe to grab a newer version to put into the Virtualmin repo, thanks for pointing that out.

-Eric

Tue, 10/20/2015 - 19:04
Diabolico
Diabolico's picture

Last time i used f2b from Vmin was behind a year or even more. If the old version was before 9.0 then you should warn people before update as 9.0 come with some major changes and it could break old setup.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 10/21/2015 - 16:04
No Expert

Hi and thanks for your help so far. Having checked my f2b version is v0.9.3.

I had one more question. I'm being bombarded with hundreds of these messages in my logwatch:

smtp:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 514 Time(s)
       check pass; user unknown: 514 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=adm: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=mysql: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=operator: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=postfix: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=postgres: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root: 1 Time(s)

I believe these are brute force attacks and I'd like to block them with f2b as described here: http://theether.net/kb/100141 and here: http://www.teaparty.net/technotes/fail2ban.html

However, I am unsure whether these instructions apply to the latest f2b version. Are you able to give me some guidance us to how to block these?

Thank you

Thu, 10/22/2015 - 02:18
Diabolico
Diabolico's picture

It would be nice to see raw log but looks like some of them should be covered with postfix and postfix-sasl in f2b.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 10/22/2015 - 16:31
No Expert

Hi,

I activated both the postfix and postfix-sasl jails but ip addresses appear not to get banned.

Here is an extract from /var/log/maillog:

web postfix/smtpd[8181]: connect from unknown[5.8.60.88]
web postfix/smtpd[8181]: warning: unknown[5.8.60.88]: SASL LOGIN authentication failed: authentication failure
web postfix/smtpd[8181]: lost connection after AUTH from unknown[5.8.60.88]
web postfix/smtpd[8181]: disconnect from unknown[5.8.60.88]
web postfix/smtpd[8354]: connect from unknown[193.189.117.70]
web postfix/smtpd[8354]: warning: unknown[193.189.117.70]: SASL LOGIN authentication failed: authentication failure
web postfix/smtpd[8354]: disconnect from unknown[193.189.117.70]

and from /var/log/messages:

web fail2ban.filter[25519]: INFO [sasl-iptables] Found 5.8.60.88
web saslauthd[880]: do_auth         : auth failure: [user=nagios] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
web fail2ban.filter[25519]: INFO [sasl-iptables] Found 193.189.117.70
web saslauthd[879]: do_auth         : auth failure: [user=blue] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

The same ip addresses show over and over again. Any help appreciated.

Thanks

Thu, 10/22/2015 - 19:25
Diabolico
Diabolico's picture
  1. Check if the path to log files are correct. Use full path e.g. "logpath = /var/log/secure" and not "logpath = %(sshd_log)s". I found that sometimes if you are not using full path f2b have a problem to read log files. If you didnt enabled anything extra you should use only two logfiles: "logpath = /var/log/secure" and "/var/log/maillog". First log is for everything i mentioned in my previous post aside of email server and second is for the emails.

  2. Check how many failed attempts you have in f2b. If you are the only one using your server you could limit this to 3 (personally i have on 2 but if you are new to this dont go under 3).

  3. Check "findtime" and set on what you think is the best. I have on 24 hours (86400) and there is no need to go for more.

  4. If you go for more than 24 hours then check in "fail2ban.conf" for "dbpurgeage" and increase to 48h or more depending what is your "findtime". Best to increase dbpurgeage by 24h (24, 48, 72,...) even if "findtime" is increased less than 24 hours (full day). Default time for "dbpurgeage" is 24 hours (86400).

There is two places where you can set this values, globally in the beginning of the jail.local (or .conf) and per jail. In case you have this values under specific jail it will overwrite global values, so just to know. My advice keep the global values as there is no need to set them per jail (at least you dont need it now).

To help you this is my "jail.local":

[INCLUDES]

#before = paths-distro.conf
before = paths-fedora.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 86400

# "maxretry" is the number of failures before a host get banned.
maxretry = 2

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = utf-8

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = [!removed - not for public eyes!]

# Sender email address used solely for some actions
sender = [!removed - not for public eyes!]

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = all

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]


# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

Didnt include jails as this is something you need to sort out but it should be easy, just copy them from jail.conf, and i didnt want to get email notifications because it would fill up my email with tons of useless informations thats why i used "action = %(action_)s". There is no need to have email notification every time f2b ban someone. If not using email notifications leave "destemail" and "sender" empty or default value, i think its "root@localhost".

All this is based on f2b v0.9.3 and if you are using different version then there is a chance my jail.local will not work for you.

P.S. Your log from "/var/log/maillog" show classic bruteforce attacks and you will get a lot of them so get used.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked