Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more.
Category: Fail2ban
Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Follow up by installing fail2ban:
yum install fail2ban
The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.
Set up a few rules on a plesk server with CentOS
SSH
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=10222, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=admin@domain.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
* Notice ssh is set up on port 10222
ProFTP
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=admin@domain.com]
logpath = /var/log/secure
maxretry = 5
* Notice the log location. This is for a Plesk server as proftpd logs to /var/log/secure
Restart fail2ban
# service fail2ban restart
Postfix
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=admin@domain.com]
logpath = /usr/local/psa/var/log/maillog
Postfix
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny[file=/etc/fail2ban/hosts.deny]
sendmail[name=Postfix, dest=admin@domain.com]
logpath = /usr/local/psa/var/log/maillog
bantime = 300
Apache Auth
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables[name=apache, port=apache, protocol=tcp]
sendmail-whois[name=apache, dest=admin@domain.com]
logpath = /var/log/httpd/error_log
# /home/www/myhomepage/error.log
maxretry = 6
Whitelisting is setup in the jail.conf file using a space separated list.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
# This will ignore connection coming from common private networks. # Note that local connections can come from other than just 127.0.0.1, so # this needs CIDR range too. ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16