Fail2Ban setup

cs10 · June 21, 2017, 9:27pm

Hi there.
I have just installed Fail2Ban on my CentOS 7 box running the latest version of Webmin and VirtualMin.

Obviously by default, all of the individual options are disabled, although I think SSH is enabled by default (but I couldn’t even see this in the list??)

I want to enable dovecot and postfix initially.
If I access the setting for each module, I can enable it, but then it asks the filter to search log for. I choose postfix/dovecot appropriately.

Is that right?

Also, do i need to add any actions to apply?

Thanks in advance,
Craig

Joe · June 24, 2017, 12:32am

No rules are enabled in a default install, as far as I know.

You need to add “enabled = true” to each jail you want to enable; this will cause either the default banaction, or the one you’ve specified in the config section for the jail to be applied.

Your banaction needs to match whatever firewall you have running (probably iptables or firewalld). For iptables the action would be iptables-multiport, or for firewalld you’d want firewallcmd-ipset.

You can find the DEFAULT banaction in /etc/fail2ban/jail.conf, or in /etc/fail2ban/jail.d/*.conf, or in jail.local (if you have one). The parser goes in that order and the last directive it sees is the one that applies.

You can see the current fail2ban config with fail2ban-client -d

So, to be clear:

A jail (a section in the fail2ban config file) must have enabled = true, and it must have an action associated with it that will block traffic on your system. Usually this is just the DEFAULT banaction. That banaction needs to be one that’ll work on your system (an iptables rule won’t work if you have a firewalld firewall running, and vice versa).

Joe · June 24, 2017, 12:45am

I went and dug up what we’re putting into the /etc/fail2ban/jail.local on new installs going forward in Virtualmin 6 (this isn’t in the alpha installer that’s available, but will be very soon, maybe tonight):


[sshd]
enabled = true

port    = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s
[ssh-ddos]
enabled = true

port    = ssh,sftp

filter  = sshd-ddos

log_path = %{sshd_log}s
[webmin-auth]
enabled = true

port    = 10000

logpath = %(syslog_authpriv)s

backend = %(syslog_backend)s
[proftpd]
enabled  = true

port     = ftp,ftp-data,ftps,ftps-data

logpath  = %(proftpd_log)s

backend  = %(proftpd_backend)s
[postfix]
enabled  = true

port     = smtp,465,submission

logpath  = %(postfix_log)s

backend  = %(postfix_backend)s
[dovecot]
enabled = true

port    = pop3,pop3s,imap,imaps,submission,465,sieve

logpath = %(dovecot_log)s

backend = %(dovecot_backend)s
[postfix-sasl]
enabled  = true

port     = smtp,465,submission,imap3,imaps,pop3,pop3s

logpath  = %(postfix_log)s

backend  = %(postfix_backend)s

And, on CentOS 7, where we’ll be setting up a firewalld firewall, we install the fail2ban-firewalld module, which created this file in /etc/fail2ban/jail.d/00-firewalld.conf:


[DEFAULT]
banaction = firewallcmd-ipset

So, if you just want a set it and forget it set of files, that’ll do it, assuming you’re using firewalld. (There is no default firewall in Virtualmin installations prior to VM6, but if you had any of the supported firewalls running when it was installed, it would have configured it for use with Virtualmin.)