|
|
|
|
__ _ _ ___ _
|
|
|
|
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
|
|
|
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
|
|
|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|
|
|
|
|
|
|
|
|
=============================================================
|
|
|
|
|
Fail2Ban (version 0.?.?) ??/??/2005
|
|
|
|
|
=============================================================
|
|
|
|
|
|
|
|
|
|
Fail2Ban scans log files like /var/log/pwdfail and bans IP
|
|
|
|
|
that makes too many password failures. It updates firewall
|
|
|
|
|
rules to reject the IP address. These rules can be defined by
|
|
|
|
|
the user. Fail2Ban can read multiple log files such as sshd
|
|
|
|
|
or Apache web server ones. It needs log4py.
|
|
|
|
|
|
|
|
|
|
This is my first Python program. Moreover, English is not my
|
|
|
|
|
mother tongue...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
More details:
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
Fail2Ban is rather simple. I have a home server connected to
|
|
|
|
|
the Internet which runs apache, samba, sshd, ... I see in my
|
|
|
|
|
logs that people are trying to log into my box using "manual"
|
|
|
|
|
brute force or scripts. They try 10, 20 and sometimes more
|
|
|
|
|
user/password (without success anyway). In order to
|
|
|
|
|
discourage these script kiddies, I wanted that sshd refuse
|
|
|
|
|
login from a specific ip after 3 password failures. After
|
|
|
|
|
some Google searches, I found that sshd was not able of that.
|
|
|
|
|
So I search for a script or program that do it. I found
|
|
|
|
|
nothing :-( So I decide to write mine and to learn Python :-)
|
|
|
|
|
|
|
|
|
|
For each sections defined in the configuration file, Fail2Ban
|
|
|
|
|
tries to find lines which match the failregex. Then it
|
|
|
|
|
retrieves the message time using timeregex and timepattern.
|
|
|
|
|
It finally gets the ip and if it has already done 3 or more
|
|
|
|
|
password failures in the last banTime, the ip is banned for
|
|
|
|
|
banTime using a firewall rule. This rule is set by the user
|
|
|
|
|
in the configuration file. Thus, Fail2Ban can be adapted for
|
|
|
|
|
lots of firewall. After banTime, the rule is deleted. Notice
|
|
|
|
|
that if no "plain" ip is available, Fail2Ban try to do DNS
|
|
|
|
|
lookup in order to found one or several ip's to ban.
|
|
|
|
|
|
|
|
|
|
Sections can be freely added so it is possible to monitor
|
|
|
|
|
several daemons at the same time.
|
|
|
|
|
|
|
|
|
|
Runs on my server and does its job rather well :-) The idea
|
|
|
|
|
is to make fail2ban usable with daemons and services that
|
|
|
|
|
require a login (sshd, telnetd, ...) and with different
|
|
|
|
|
firewalls.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installation:
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
Require: python-2.3 (http://www.python.org)
|
|
|
|
|
log4py-1.1 (http://sourceforge.net/projects/log4py)
|
|
|
|
|
|
|
|
|
|
To install, just do:
|
|
|
|
|
|
|
|
|
|
> tar xvfj fail2ban-0.4.1.tar.bz2
|
|
|
|
|
> cd fail2ban-0.4.1
|
|
|
|
|
> python setup.py install
|
|
|
|
|
|
|
|
|
|
This will install Fail2Ban into /usr/lib/fail2ban. The
|
|
|
|
|
fail2ban.py executable is placed into /usr/bin.
|
|
|
|
|
|
|
|
|
|
Gentoo: an ebuild is available on the website.
|
|
|
|
|
Debian: a package is available on the website.
|
|
|
|
|
|
|
|
|
|
Fail2Ban should now be correctly installed. Just type:
|
|
|
|
|
|
|
|
|
|
> fail2ban.py -h
|
|
|
|
|
|
|
|
|
|
to see if everything is alright. You can configure fail2ban
|
|
|
|
|
with a config file. Copy config/fail2ban.conf.default to
|
|
|
|
|
/etc/fail2ban.conf.
|
|
|
|
|
|
|
|
|
|
Gentoo users can use the initd script available in config/.
|
|
|
|
|
Copy gentoo-initd to /etc/init.d/fail2ban and gentoo-confd
|
|
|
|
|
to /etc/conf.d/fail2ban. You can start fail2ban and add it
|
|
|
|
|
to your default runlevel:
|
|
|
|
|
|
|
|
|
|
> /etc/init.d/fail2ban start
|
|
|
|
|
> rc-update add fail2ban default
|
|
|
|
|
|
|
|
|
|
Configuration:
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
You can configure fail2ban using the file /etc/fail2ban.conf
|
|
|
|
|
or using command line options. Command line options override
|
|
|
|
|
the value stored in fail2ban.conf. Here are the command line
|
|
|
|
|
options:
|
|
|
|
|
|
|
|
|
|
-b start fail2ban in background
|
|
|
|
|
-d start fail2ban in debug mode
|
|
|
|
|
-c <FILE> read configuration file FILE
|
|
|
|
|
-p <FILE> create PID lock in FILE
|
|
|
|
|
-h display this help message
|
|
|
|
|
-i <IP(s)> IP(s) to ignore
|
|
|
|
|
-k kill a currently running Fail2Ban instance
|
|
|
|
|
-l <FILE> log message in FILE
|
|
|
|
|
-r <VALUE> allow a max of VALUE password failure
|
|
|
|
|
-t <TIME> ban IP for TIME seconds
|
|
|
|
|
-v verbose. Use twice for greater effect
|
|
|
|
|
|
|
|
|
|
Contact:
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
You need some new features, you found bugs or you just
|
|
|
|
|
appreciate this program, you can contact me at :
|
|
|
|
|
|
|
|
|
|
Website: http://www.sourceforge.net/projects/fail2ban
|
|
|
|
|
|
|
|
|
|
Cyril Jaquier: <lostcontrol@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thanks:
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
K<EFBFBD>vin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
|
|
|
|
|
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko
|
|
|
|
|
|
|
|
|
|
License:
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
Fail2Ban is free software; you can redistribute it
|
|
|
|
|
and/or modify it under the terms of the GNU General Public
|
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
|
version 2 of the License, or (at your option) any later
|
|
|
|
|
version.
|
|
|
|
|
|
|
|
|
|
Fail2Ban is distributed in the hope that it will be
|
|
|
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
|
|
|
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
|
|
|
PURPOSE. See the GNU General Public License for more
|
|
|
|
|
details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public
|
|
|
|
|
License along with Fail2Ban; if not, write to the Free
|
|
|
|
|
Software Foundation, Inc., 59 Temple Place, Suite 330,
|
|
|
|
|
Boston, MA 02111-1307 USA
|