__ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| ============================================================= Fail2Ban (version 0.3.0) 02/??/2005 ============================================================= Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too much password failures. It updates firewall rules to reject the IP address. Currently iptables, ipfw and ipfwadm are supported. Fail2Ban can read multiple log files such as sshd or Apache web server ones. It needs log4py. This is my first Python program. I began learning Python for less than one week so please be understanding ;-) English is not either my mother tongue... More details: ------------- Fail2Ban is rather simple. I have a home server connected to the Internet which runs apache, samba, sshd, ... I see in my logs that people are trying to log into my box using "manual" brute force or scripts. They try 10, 20 and sometimes more user/password (without success anyway). In order to discourage these script kiddies, I wanted that sshd refuse login from a specific ip after 3 password failures. After some google searches, I found that sshd was not able of that. So I search for a script or program that do it. Found nothing :-( So I decide to write mine and to learn Python :-) For each sections defined in the configuration file, Fail2Ban tries to find lines which match the failregex. Then it retrieves the message time using timeregex and timepattern. It finally gets the ip and if it has already done 3 or more password failures in the last banTime, the ip is banned for banTime using a iptable rule. After banTime, the rule is deleted. Sections can be freely added so it is possible to monitor several daemons at the same time. Runs on my server and does its job rather well :-) The idea is to make fail2ban usable with daemons and services that require a login (sshd, telnetd, ...). It should also support others firewalls than iptables. Installation: ------------- Require: python-2.3 (http://www.python.org) log4py-1.1 (http://sourceforge.net/projects/log4py) To install, just do: > tar xvfj fail2ban-0.3.0.tar.bz2 > cd fail2ban-0.3.0 > python setup.py install This will install Fail2Ban into /usr/lib/fail2ban. The fail2ban.py executable is placed into /usr/bin. Fail2Ban should now be correctly installed. Just type: > fail2ban.py -h to see if everything is alright. You can configure fail2ban with a config file. Copy config/fail2ban.conf.default to /etc/fail2ban.conf. Configuration: -------------- You can configure fail2ban using the file /etc/fail2ban.conf or using command line options. Command line options override the value stored in fail2ban.conf. Here are the command line options: -b start fail2ban in background -d start fail2ban in debug mode -e ban IP on the INTF interface -c read configuration file FILE -h display this help message -i IP(s) to ignore -l log message in FILE -r allow a max of VALUE password failure -t