A question about Fail2Ban.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

A question about Fail2Ban.

Post by hack3rcon » 2021/01/12 12:00:43

Hello,
I found a tutorial to protect some services with Fail2Ban:
# nano /etc/fail2ban/jail.local
Add the following lines at the end of the file:

Code: Select all

[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)s
What is "[apache-auth]"? Is it a predefined rule for Fail2Ban and is under the "filter.d" directory? I mean is that "[apache-auth]" refer to the "apache-auth.conf" file:

Code: Select all

# ls filter.d/
3proxy.conf                exim-spam.conf             proftpd.conf
apache-auth.conf           freeswitch.conf            pure-ftpd.conf
apache-badbots.conf        froxlor-auth.conf          qmail.conf
apache-botsearch.conf      groupoffice.conf           recidive.conf
apache-common.conf         gssftpd.conf               roundcube-auth.conf
apache-fakegooglebot.conf  guacamole.conf             screensharingd.conf
apache-modsecurity.conf    haproxy-http-auth.conf     selinux-common.conf
apache-nohome.conf         horde.conf                 selinux-ssh.conf
apache-noscript.conf       ignorecommands/            sendmail-auth.conf
apache-overflows.conf      kerio.conf                 sendmail-reject.conf
apache-pass.conf           lighttpd-auth.conf         sieve.conf
apache-shellshock.conf     mongodb-auth.conf          slapd.conf
assp.conf                  monit.conf                 sogo-auth.conf
asterisk.conf              murmur.conf                solid-pop3d.conf
bitwarden.conf             mysqld-auth.conf           squid.conf
botsearch-common.conf      nagios.conf                squirrelmail.conf
centreon.conf              named-refused.conf         sshd.conf
common.conf                nginx-botsearch.conf       stunnel.conf
counter-strike.conf        nginx-http-auth.conf       suhosin.conf
courier-auth.conf          nginx-limit-req.conf       tine20.conf
courier-smtp.conf          nsd.conf                   traefik-auth.conf
cyrus-imap.conf            openhab.conf               uwimap-auth.conf
directadmin.conf           openwebmail.conf           vsftpd.conf
domino-smtp.conf           oracleims.conf             webmin-auth.conf
dovecot.conf               pam-generic.conf           wuftpd.conf
dropbear.conf              perdition.conf             xinetd-fail.conf
drupal-auth.conf           phpmyadmin-syslog.conf     znc-adminlog.conf
ejabberd-auth.conf         php-url-fopen.conf         zoneminder.conf
exim-common.conf           portsentry.conf            
exim.conf                  postfix.conf  
Apache logs are:

Code: Select all

# ls /var/log/httpd/
access_log        error_log         modsec_audit.log  modsec_debug.log  
But "logpath = %(apache_error_log)s" !!! The "apache_error_log" must be change to "error_log" ?

Thank you.

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: A question about Fail2Ban.

Post by stevemowbray » 2021/01/12 12:11:37

apache_error_log is defined in the paths*.conf file for your OS. It includes all *error_log files in the apache log directory. You should not have to change anything.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: A question about Fail2Ban.

Post by hack3rcon » 2021/01/12 12:14:36

stevemowbray wrote:
2021/01/12 12:11:37
apache_error_log is defined in the paths*.conf file for your OS. It includes all *error_log files in the apache log directory. You should not have to change anything.
paths*.conf file?
On CentOS, Firewalld is enabled by default, but it just a front-end for iptables?

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: A question about Fail2Ban.

Post by stevemowbray » 2021/01/12 13:56:55

In /etc/fail2ban there are various conf files called paths-[something].conf which define paths. On mine for example there are paths-common.conf and paths-fedora.conf: paths-fedora.conf includes settings for all Red Hat-alike variants including CentOS, and is included from jail.conf.

In CentOS 7 firewalld is a front end for iptables, in CentOS 8 for nftables. The fail2ban package for your OS will be configured accordingly.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: A question about Fail2Ban.

Post by hack3rcon » 2021/01/12 19:19:20

stevemowbray wrote:
2021/01/12 13:56:55
In /etc/fail2ban there are various conf files called paths-[something].conf which define paths. On mine for example there are paths-common.conf and paths-fedora.conf: paths-fedora.conf includes settings for all Red Hat-alike variants including CentOS, and is included from jail.conf.

In CentOS 7 firewalld is a front end for iptables, in CentOS 8 for nftables. The fail2ban package for your OS will be configured accordingly.
Thank you so much for your useful info.
Thus, the location of log files defined in "paths-fedora.conf" file. If I change Apache setting and define another location for log files, then I must update "paths-fedora.conf" file?
In your opinion, is https://www.atlantic.net/vps-hosting/ho ... -centos-8/ tutorial OK?
I used that tutorial to install and configure Fail2Ban:

Code: Select all

# fail2ban-client status
Status
|- Number of jail:	3
`- Jail list:	apache-auth, apache-badbots, apache-noscript
But I can see any rules about it in iptables and Firewalld:

Code: Select all

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         
           tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW recent: UPDATE seconds: 60 hit_count: 30 name: DEFAULT side: source mask: 255.255.255.255 reject-with tcp-reset

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED limit: avg 100/sec burst 5
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:20:21 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:30000:31000 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target     prot opt source               destination         
REJECT     all  --  X.X.X.X          0.0.0.0/0            reject-with icmp-port-unreachable

Chain IN_public_log (1 references)
target     prot opt source               destination         
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED limit: avg 100/sec burst 5 LOG flags 0 level 4 prefix "'HttpsLimit'"

Chain OUTPUT_direct (1 references)
target     prot opt source               destination       
And:

Code: Select all

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: ftp http imaps smtp ssh
  ports: 80/tcp 443/tcp 21/tcp 20-21/tcp 30000-31000/tcp 25/tcp 993/tcp 465/tcp 143/tcp 110/tcp 587/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule port port="80" protocol="tcp" log prefix="HttpsLimit" level="warning" limit value="100/s" accept limit value="100/s"
	rule family="ipv4" source address="X.X.X.X" reject
Why?

Post Reply