As part of my recent security drive on my dedicated server I installed Fail2Ban. The premise of this software is fairly simple which is always good. Fail2Ban basically scans log files for errors, e.g. your FTP access log file to see who has been trying to guess your login and the likes. Once a certain IP address has tried x number of times within a set time it is added to a ban list. This list can be temporary or permanent and implemented in several ways (e.g. via iptables / firewall or hosts.deny file).
Sounds good? Well once it’s up and running it does exactly what it says. However, there are one or two small issues getting to this stage, certainly on Centos 6.
The first step is to install:
yum install fail2ban
(assuming you have the EPEL repository. If not do this first:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
At this point I realised there were 3 issues to overcome before getting Fail2Ban to work:
1. Log monitoring
This is the method used to monitor whether the log files have been modified. The default setting is auto with other options being inotify, gamin and polling.
The only one I have had any success with is polling – gamin didn’t throw any errors but didn’t seem to do anything either.
So, at around line 40 in /etc/fail2ban/jail.conf change to:
backend = polling
2. Fail2Ban not starting up
This is apparently the result of a race condition between the python script and iptables. The solution is to add a little code that slows down the Fail2Ban script.
This involves adding a sleep command in /usr/bin/fail2ban-client at line 142:
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.1)
beautifier.setInputCmd(c)
try: 3. Edit ignoreip list
The etc/fail2ban/jail.conf file also allows you to set a list of IP addresses to ignore, i.e. not ban. The default is set to 127.0.0.1. For some reason I found nothing was getting banned when it was set up this way.
So, at around line 20 either comment out (with a # at start of line):
#ignoreip = 127.0.0.1
Or just remove the 127.0.0.1 and put in any IP addresses you want ignored.
Well, that worked for me. All that needs doing is restarting Fail2Ban:
/etc/init.d/fail2ban restart
Once up and running you can check with:
/etc/init.d/fail2ban status
which should give a list of all running ‘jails’
Persevere as all the emails reporting bans will make you realise it was worth the effort.