Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: OzMoosis on November 20, 2009, 03:02:16 PM

Title: fail2ban, anybody?
Post by: OzMoosis on November 20, 2009, 03:02:16 PM: Hi all,

are there any SME users that have the latest Fail2ban version running?

(Fail2ban scans log files like /var/log/sshd/current or /var/log/ftp/current and bans IP's that have too many password failures. It updates firewall rules to reject the IP address. I guess it's similar to DenyHosts, but it can block more than just SSH)

I have the services running, and the "SSH jail" is active, but it doesn't seem to be doing anything when I test it by logging in to SSH incorrectly.

Anyone with a how-to?

Thanks,

Marcel
Title: Re: fail2ban, anybody?
Post by: Stefano on November 20, 2009, 04:32:06 PM: please, explain your problem, not the solution..

instead of banning ip, you could change sshd port to an unused one (above 1024).. no more noise in the logs
Title: Re: fail2ban, anybody?
Post by: cactus on November 21, 2009, 09:49:34 AM: Quote from: Stefano on November 20, 2009, 04:32:06 PM
please, explain your problem, not the solution..

instead of banning ip, you could change sshd port to an unused one (above 1024).. no more noise in the logs
Or better even, configure your SSH to use public/private key pairs, which will prevent password guessing hackers all together as they never get a connection, for details see http://wiki.contribs.org/SSH_Public-Private_Keys
Title: Re: fail2ban, anybody?
Post by: OzMoosis on November 21, 2009, 11:17:04 AM: Thanks for the advice, but I know about these security options for SSH and am using them at the moment.

The point is that Fail2ban can detect failed login attempts on other services, such as FTP and Apache. That's what I'm most interested in, I'm just testing with SSH to see if I can get Fail2ban to work.

So far, the fail2ban service is running, and during setup it edited the IPtables configuration. It also sends mail to root about it's status. However, I can't tell whether it's reading the logfiles and it doesn't seem to be adding any DROP rules to IPtables as it should.

Marcel
Title: Re: fail2ban, anybody?
Post by: Stefano on November 21, 2009, 12:12:15 PM: Quote
So far, the fail2ban service is running, and during setup it edited the IPtables configuration. It also sends mail to root about it's status. However, I can't tell whether it's reading the logfiles and it doesn't seem to be adding any DROP rules to IPtables as it should.

I hope you're testing it on a test machine, not a production one..

SME's firewall rules are templatized and dinamically generated, so everything that change iptables rules could break your server.