Ok i got stuck with this module and didnt manage to find any documentation on this site (not even google come out with something useful). Installed fail2ban over webmin and the installation was all ok but what i notice was that fail2ban activated only one option and that was for SSH. First problem i had was f2b not banning the IP and this problem i sort changing “backend = auto” to “backend = polling”, made a test and this was a result:
Apr 6 16:59:57 myserver fail2ban.actions[932]: WARNING [ssh-iptables] Ban XXX.XXX.XXX.XXX
Apr 6 17:59:58 myserver fail2ban.actions[932]: WARNING [ssh-iptables] Unban XXX.XXX.XXX.XXX
But now i’m facing another problem, what i should enable in f2b and what i should leave for Virtualmin/Webmin to handle. For example few things from my log files:
Apr 7 10:12:47 myserver named[528]: client 124.232.142.220#54547: query (cache) ‘www.google.it/A/IN’ denied
Apr 7 08:28:40 myserver named[528]: error (unexpected RCODE REFUSED) resolving ‘166.219.97.121.in-addr.arpa/PTR/IN’: 210.4.2.4#53
Apr 7 07:13:58 myserver named[528]: error (connection refused) resolving ‘software.virtualmin.com/AAAA/IN’: 108.60.199.116#53
Apr 7 07:13:58 myserver named[528]: error (connection refused) resolving ‘software.virtualmin.com/A/IN’: 108.60.199.116#53
Apr 7 00:54:29 myserver auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@mydomain.com rhost=94.102.60.175
Apr 7 00:54:29 myserver auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@mydomain.com rhost=94.102.60.175
This are the most common i have encounter until now. So like i said before, from this logs should i be worried regarding the security of Virtualmin/Webmin, what i should leave to your software to deal with and what i should enforce with f2b?
Even Virtualmin is great control panel sometimes i get stuck with things what takes too much time to sort only because the documentation is so poorly written or non-existent. Anyway i would really appreciated if someone could share some light on f2b and virtualmin.
OS: Centos 6.6
For me, FAIL2BAN was great but not that user friendly. CSF (ConfigServer Security & Firewall) is much more user friendly so I would suggest trying that out until you are more familiar with the system.
CSF and f2b are two different things. In some parts they are similar but they have different approach depending on what you need. Still i would like to have answers to my questions.
Ok i think i manage to get rid of annoying probers:
Chain fail2ban-Named (1 references)
target prot opt source destination
REJECT all – 198.48.92.104 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 185.5.249.86 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 124.232.142.220 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 212.23.3.248 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 188.165.235.34 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 192.3.194.138 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 74.82.47.2 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ProFTPD (1 references)
target prot opt source destination
REJECT all – 95.178.142.129 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pam (1 references)
target prot opt source destination
REJECT all – 94.102.60.175 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 95.178.142.129 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0
Because i’m not sure how webmin/virtualmin handle this stuff maybe is better to just block them and be on safe side. I hope this settings will not conflict with webmin/virtualmin as i could not find a single info about this. The only problem i have now is to figure out how to do the same thing for Usermin. Would this rule (filter) be ok to ban failed login attempts for Usermin:
[INCLUDES]
before = common.conf
[Definition]
_daemon = usermin
failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$
^%(__prefix_line)sInvalid login as .+ from \s*$
ignoreregex =
Because i’m not sure how webmin/virtualmin handle this stuff maybe is better to just block them and be on safe side.
Webmin and Usermin will automatically block any IP address attempting to repeatedly login to the control panel. It will block them for 5 minutes.
Other services don’t do that though and need a tool such as fail2ban to handle that.
I hope this settings will not conflict with webmin/virtualmin as i could not find a single info about this.
Virtualmin doesn’t setup a firewall by default, so there’s nothing to conflict with.
You can certainly block IP addresses of bots causing problems.
-Eric
If I use CSF and LFD… how would Fail2ban benefit me?