Fail2ban on EFA MENU

New users please present your self here (no real names needed) so we can prevent spam bots.
Post Reply
Alleyviper
Posts: 60
Joined: 16 Oct 2018 05:55
Location: Portugal

Fail2ban on EFA MENU

Post by Alleyviper » 04 Jan 2019 02:15

Hi there,

Security is never enough. One feature I'm currently trying to add is Fail2ban Control on Efa Menu.

For now i have the following script:

####################
#!/bin/bash
yum install -y fail2ban
chkconfig fail2ban on

touch /etc/fail2ban/jail.d/local.conf
cat << EOF > /etc/fail2ban/jail.d/local.conf

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 5
bantime = 2592000

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 9
bantime = 2592000
EOF

service iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start

####################

This allows fail2ban to be installed with sshd and sasl authentication IP ban if x attempts made.

Maybe it Will be useful for you guys.

Further development Will allow from EFA menu to check how many ips are banned or to check if One on particular exists on ban list and even to unban if needed.

HTTPS block to EFA is not yet configured.

#######
Status for the jail: postfix-sasl |- Filter | |- Currently failed: 1 | |- Total failed: 16 | `- File list: /var/log/maillog `- Actions |- Currently banned: 15 |- Total banned: 15 `- Banned IP list: 149.56.173.70 185.161.224.10 185.204.207.215 185.234.216.87 185.234.218.231 188.165.221.36 188.81.41.164 191.96.249.23 191.96.249.43 196.28.236.73 198.50.241.77 217.217.179.17 37.49.225.21 81.130.166.70 89.248.172.85 Status for the jail: ssh-iptables |- Filter | |- Currently failed: 2 | |- Total failed: 46 | `- File list: /var/log/secure `- Actions |- Currently banned: 228 |- Total banned: 228 `- Banned IP list: 101.236.46.34 103.243.138.30 103.40.20.174 103.40.23.251 103.80.31.56 104.168.144.8 104.234.223.14 104.248.223.115 104.248.77.96 106.12.85.241 106.51.39.163 107.23.201.233 108.160.140.40 109.48.212.139 111.207.49.184 111.230.28.139 111.231.119.29 111.231.144.140 112.85.42.144 112.85.42.148 112.85.42.150 112.85.42.156 112.85.42.195 112.85.42.196 112.85.42.198 112.85.42.230 112.85.42.235 112.85.42.62 114.112.93.72 115.233.246.46 115.238.245.2 115.238.245.4 115.238.245.8 116.237.155.47 116.31.116.2 117.156.94.32 118.123.15.142 118.151.209.119 118.24.113.48 118.24.186.210 118.26.69.133 119.92.87.23 121.22.80.117 122.115.54.132 122.194.229.3 122.194.229.42 122.226.181.164 122.226.181.165 122.226.181.166 122.226.181.167 123.127.87.37 123.207.173.22 123.207.27.242 125.65.42.192 128.199.140.214 129.157.169.204 129.211.108.184 129.211.36.199 132.232.204.240 132.232.221.202 132.232.243.134 132.232.33.174 132.232.36.229 132.232.76.213 132.232.82.170 132.232.97.57 134.175.180.208 134.175.20.105 134.175.59.130 139.199.113.236 139.199.203.114 139.59.173.17 14.1.29.76 142.93.100.148 142.93.160.109 144.217.167.219 148.70.2.198 148.70.63.247 150.109.59.70 150.131.194.143 151.15.100.195 151.80.155.3 154.8.219.151 156.237.129.214 159.89.155.92 164.132.43.198 167.114.234.173 167.99.170.19 176.206.190.148 176.209.174.187 177.11.121.15 178.62.102.53 178.62.94.180 180.167.10.39 180.76.162.45 185.143.223.191 185.148.38.112 185.148.38.

Alleyviper
Posts: 60
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Fail2ban on EFA MENU

Post by Alleyviper » 04 Jan 2019 02:21

One other thing, you can also define an e-mail address to send report on banned ips

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
sendmail-whois[name=SSH, dest="emaildestination@domain.tld", sender=fromemail@domain.tld"
logpath = /var/log/maillog
maxretry = 5
bantime = 2592000

Alleyviper
Posts: 60
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Fail2ban on EFA MENU

Post by Alleyviper » 04 Jan 2019 02:24

The whois feature is installed with
yum install jwhois

On the email you Will get Something like this:

Hi,

The IP 193.112.55.69 has just been banned by Fail2Ban after
9 attempts against SSH.


Here is more information about 193.112.55.69 :

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '193.112.0.0 - 193.112.255.255'

% No abuse contact registered for 193.112.0.0 - 193.112.255.255

inetnum: 193.112.0.0 - 193.112.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIR's at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
created: 2017-06-29T08:58:00Z
last-modified: 2018-09-04T13:34:33Z
source: RIPE

organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/numbers
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2004-04-17T09:57:29Z
last-modified: 2013-07-22T12:03:42Z
source: RIPE # Filtered

role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.92.6 (ANGUS)

Regards,

Fail2Ban

User avatar
shawniverson
Posts: 2737
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Fail2ban on EFA MENU

Post by shawniverson » 05 Jan 2019 18:25

Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

Post Reply