How to protect servers (ssh, apache, asterisk, …) from brute-force attacks (using fail2ban)

## install
$ sudo yum install failban (EPEL) | sudo apt-get install fail2ban

## configure fail2bain, in '/etc/fail2ban/jail.conf'
$ cat /etc/fail2ban/jail.conf
...
# 1 - generic configuration
# "bantime" is the number of seconds that a host is banned
bantime  = 600
# ip addresses that should be excluded from fail2ban rules
ignoreip = 127.0.0.1/8
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
...
# 2 - define ban actions
# config file in '/etc/fail2ban/action.d' used when ban is needed; default uses iptables to ban an IP on all ports when it fails authentication
banaction = iptables-multiport
# calls banaction script; default is 'action_' which passes the name, port, protocol, and chain to the script; other values are 'action_mw' to ban and send an e-mail
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%($
action = %(action_)s

# 3 - application-specific jails
[ssh]
enabled  = true
port     = ssh
# file in '/etc/fail2ban/filter.d' telling how to parse the log file, see failregex in '/etc/fail2ban/filter.d/sshd.conf'
filter   = sshd
# what files to parse for failures
logpath  = /var/log/auth.log

## configure firewall, iptables in our case
$ cat /etc/fail2ban/action.d/iptables-multiport.conf
...
# commands executed when fail2ban starts and stop; it creates a new chain for given port (see above)
actionstart/actionstop = ...
# commands executed when banning and unbanning an ip; basically drops the packet 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>

$ sudo service fail2ban restart
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
...
Chain fail2ban-ssh (1 references)
DROP       all  --  xxx-xxxxxxxx.dyn.xxxxxxxxx.net  anywhere            
RETURN     all  --  anywhere             anywhere

from How To Protect SSH with fail2ban on Debian 7

# enable predefined Apache jails, if not already enabled
$ cat /etc/fail2ban/jail.conf
# detect password authentication failures
[apache]
enabled  = true
...
[apache-multiport]
enabled = true
...
# uses default action, otherwise set
$ cat /etc/fail2ban/jail.conf
[DEFAULT]
banaction = iptables-multiport
$ sudo systemctl restart fail2ban | sudo service fail2ban restart

# check and manage Fail2ban banning status
$ sudo fail2ban-client status
# ban/unban a given IP address
$ sudo fail2ban-client set [name-of-jail] banip [ip-address]

from How to configure fail2ban to protect Apache HTTP server

Same but for asterisk both with and without Asterisk Security Framework (Asterisk 10+)

$ cat /etc/fail2ban/filter.d/asterisk.conf
[Definition]
# regex to match the password failures messages in the logfile. The host must be matched by a group named "host". 
# The tag "<HOST>" can be used for standard IP/hostname matching and is only an alias for (?:::f{4,6}:)?(?P<host>S+)
# without asterisk security framework
#failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
# with asterisk security framework
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*

# regex to ignore. If this regex matches, the line is ignored.
ignoreregex =

$ cat /etc/fail2ban/jail.conf
[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
# without asterisk security framework
#logpath  = /var/log/asterisk/messages
# with asterisk security framework
logpath  = /var/log/asterisk/security

# cat /etc/fail2ban/jail.conf
[DEFAULT] 
ignoreip=<your_ip_address>

$ cat /etc/asterisk/logger.conf
[general]
dateformat=%F %T

$ service iptables start; service fail2ban start
$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
2104K 414M fail2ban-ASTERISK all — any any anywhere anywhere

from Fail2Ban (with iptables) and asterisk

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s