Fail2Ban or another brute force blocking software

Blue Skies
21

I can also recommend CSF/LFD. I have it in production use, and there’s a Webmin module for it.

22

FTP logins are not getting banned on my server so thats why I am looking for fail2ban

csf is only blocking smtp failures and ssh.

23

Usually someone from the *min team jumps to answer a thread, what is happening here? This is such an ancient thread; I don’t think this is too much for us, to expect an answer from the devs/mods…

There is nothing better than fail2ban, and people are asking for this because sometimes it is a pain to configure. I for myself managed to get it work very easy on CentOS 5 and 6 with ssh and proftpd; but we will need also at least the mail protection - gave up on that a long time ago, never managed to make fail2ban read the damn log files properly. And it does so much more. Would be nice also to get it backed up in the Webmin area, most of the times I forget about the little wonder fail2ban and I am not adding the files to the extra Webmin backup stuff - have to configure it again.

Also it would be usefull to get it to work differently for different domains, via Virtualmin, to stop hits in the web applications.

This is all because sometimes the pattern of the response and location of the logs differ from distribution to distribution, so no “how to” will help us here. It is just an an endless trial and error 'till you figure things out or drop the issue…

24

@Sesso: Are you using Ubuntu/Debian by chance? The default configuration for LFD has an incorrect FTP logfile set at least on Ubuntu.

Check your /etc/csf/csf.conf file, and near the bottom, you need these for Virtualmin on Ubuntu:

# Log file locations HTACCESS_LOG = "/var/log/apache2/error.log" MODSEC_LOG = "/var/log/apache2/error.log" SSHD_LOG = "/var/log/auth.log" SU_LOG = "/var/log/syslog" FTPD_LOG = "/var/log/proftpd/proftpd.log" SMTPAUTH_LOG = "/var/log/mail.log" POP3D_LOG = "/var/log/mail.log" IMAPD_LOG = "/var/log/mail.log" IPTABLES_LOG = "/var/log/syslog" SUHOSIN_LOG = "/var/log/syslog" BIND_LOG = "/var/log/syslog" SYSLOG_LOG = "/var/log/syslog" WEBMIN_LOG = "/var/log/auth.log"

In addition, if you want to block Postfix SMTP Auth errors (which CSF does not catch by default), you need this in /etc/csf/csf.conf:

CUSTOM1_LOG = "/var/log/mail.log"

and this in /etc/csf/regex.custom.pm, between the “do not edit before” and “do not edit after” lines:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) { return ("Failed SMTP AUTH from",$1,"csmtpautherr","6","25","3600"); }

“csmtpautherr” is a user-defined label for this custom check. “6” is the number of failures at which the check should trigger. 25 is the port to block, and 3600 the temp block time in seconds.

CSF/LFD works just as well as fail2ban. It might not be just as flexible in terms of jail behavior, but in turn it is much easier to configure, and has a nicely working Webmin plugin, and tons of other features.

25

@Locutus, thanks ! Great,

one question. If I want to block / check ports 586 and 465 for smtp how could I modify this rule to do so? Or what you suggest?

26

LFD is not “port dependent” in terms of checking, it just matches logfile lines against regular expressions.

If you want to block ports 586 and 465 additionally/instead of 25, you can just replace the “25” with e.g. “25,586,465” in the rule. You can also configure LFD to block the IP completely and not only on specific ports (that’s what I use normally - why would I want a dictionary attacker to still have access to other ports :slight_smile: ).

27

OK, so can I put “*” for port block to block on all ports?

28

Not sure, you might be able to use “1:65535” which is the usual CSF syntax to specify port ranges. Might want to check the documentation though.

Having blocks apply to all ports is normally done in CSF config globally though; check the config file, it has explanation and examples for that.

29

Locutus, my Debian 7 “logfile” area of CSF.CONF looks like this:

Log file locations

HTACCESS_LOG = “/var/log/apache2/error.log”
MODSEC_LOG = “/var/log/apache2/error.log”
SSHD_LOG = “/var/log/auth.log”
SU_LOG = “/var/log/messages”
FTPD_LOG = “/var/log/messages” <= yep, this one is wrong
SMTPAUTH_LOG = “/var/log/secure”
POP3D_LOG = “/var/log/mail.log”
IMAPD_LOG = “/var/log/mail.log”
IPTABLES_LOG = “/var/log/messages”
SUHOSIN_LOG = “/var/log/messages”
BIND_LOG = “/var/log/messages”
SYSLOG_LOG = “/var/log/messages”
WEBMIN_LOG = “/var/log/auth.log”
CUSTOM1_LOG = “/var/log/messages”

I’m not sure about all those “syslog” entries of yours?? : )

30

Mine is for Ubuntu, there the file is called syslog. Of course it may be different for you. :slight_smile:

31

Hi Jimdunn,

best way for you it to go to that folder /var/log and to check those files ;), and you can also check each service setting for log file.

Thanks to Locutus I wasn’t even thinking about this before his comments…

32

Locutus,

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [-.[:alnum:]]+[([.[:digit:]]+)]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) {
return (“Failed SMTP AUTH from”,$1,“csmtpautherr”,“6”,“25”,“3600”);
}

Error:

Stopping lfd: Done
Starting lfd:Having no space between pattern and following word is deprecated at /usr/local/csf/bin/regex.custom.pm line 35.
Unmatched [ in regex; marked by <-- HERE in m/^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [ <-- HERE -.

This stops lsf from starting. I have no idea what the problem with your expression is. Can you assist please.

Cheers
Spart

33

ossec: +1

34

Denyhosts is a pretty good IDF…

Debian already has it in the repos.

http://denyhosts.sourceforge.net/

35

so maybe it would be better to come up with a generic IDS module/interface so that volunteers can add support for their preferred system (fail2ban, DenyHosts or ossec) ?

Slightly offtopic: Personally, I would consider IDS info to be at least as relevant SMART info (or firewall/iptable logs!), so it should ideally also be integrated/shown on the webmin index page using some basic summary (green/red status, last events) analogous to how SMART info is currently shown.

OpenVZ events (especially beancounter stuff) should probably be also displayed there (for containers, but also the HW node) ?

36

+1 for a fail2ban module

37

Please consider this request.

38

Locutus,

I’m having the same error from LFD after trying the following regex.custom.pm entry:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [-.[:alnum:]]+[([.[:digit:]]+)]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) {
return (“Failed SMTP AUTH from”,$1,“csmtpautherr”,“6”,“25”,“3600”);
}

Do you have any clues? Here’s the error:

Having no space between pattern and following word is deprecated at /usr/local/csf/bin/regex.custom.pm line 36.
Unmatched [ in regex; marked by <-- HERE in m/^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [ <-- HERE -.</
at /usr/local/csf/bin/regex.custom.pm line 36.

Compilation failed in require at /usr/sbin/lfd line 103.

39

Thank you for making this module a reality.

I think it would be great to add jail.local to the “Edit Config Files” list, it is more appropriate to use it instead of jail.conf, since the last one will be over-written in case of upgrading the software.

40

I am just setting up my first Virtualmin Pro server… and one of the first things i am doing will be setting Fail2Ban 9 up.