Page 1 of 1

Fail2ban on EFA MENU

Posted: 04 Jan 2019 02:15
by Alleyviper
Hi there,

Security is never enough. One feature I'm currently trying to add is Fail2ban Control on Efa Menu.

For now i have the following script:

####################
#!/bin/bash
yum install -y fail2ban
chkconfig fail2ban on

touch /etc/fail2ban/jail.d/local.conf
cat << EOF > /etc/fail2ban/jail.d/local.conf

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 5
bantime = 2592000

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 9
bantime = 2592000
EOF

service iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start

####################

This allows fail2ban to be installed with sshd and sasl authentication IP ban if x attempts made.

Maybe it Will be useful for you guys.

Further development Will allow from EFA menu to check how many ips are banned or to check if One on particular exists on ban list and even to unban if needed.

HTTPS block to EFA is not yet configured.

#######
Status for the jail: postfix-sasl |- Filter | |- Currently failed: 1 | |- Total failed: 16 | `- File list: /var/log/maillog `- Actions |- Currently banned: 15 |- Total banned: 15 `- Banned IP list: 149.56.173.70 185.161.224.10 185.204.207.215 185.234.216.87 185.234.218.231 188.165.221.36 188.81.41.164 191.96.249.23 191.96.249.43 196.28.236.73 198.50.241.77 217.217.179.17 37.49.225.21 81.130.166.70 89.248.172.85 Status for the jail: ssh-iptables |- Filter | |- Currently failed: 2 | |- Total failed: 46 | `- File list: /var/log/secure `- Actions |- Currently banned: 228 |- Total banned: 228 `- Banned IP list: 101.236.46.34 103.243.138.30 103.40.20.174 103.40.23.251 103.80.31.56 104.168.144.8 104.234.223.14 104.248.223.115 104.248.77.96 106.12.85.241 106.51.39.163 107.23.201.233 108.160.140.40 109.48.212.139 111.207.49.184 111.230.28.139 111.231.119.29 111.231.144.140 112.85.42.144 112.85.42.148 112.85.42.150 112.85.42.156 112.85.42.195 112.85.42.196 112.85.42.198 112.85.42.230 112.85.42.235 112.85.42.62 114.112.93.72 115.233.246.46 115.238.245.2 115.238.245.4 115.238.245.8 116.237.155.47 116.31.116.2 117.156.94.32 118.123.15.142 118.151.209.119 118.24.113.48 118.24.186.210 118.26.69.133 119.92.87.23 121.22.80.117 122.115.54.132 122.194.229.3 122.194.229.42 122.226.181.164 122.226.181.165 122.226.181.166 122.226.181.167 123.127.87.37 123.207.173.22 123.207.27.242 125.65.42.192 128.199.140.214 129.157.169.204 129.211.108.184 129.211.36.199 132.232.204.240 132.232.221.202 132.232.243.134 132.232.33.174 132.232.36.229 132.232.76.213 132.232.82.170 132.232.97.57 134.175.180.208 134.175.20.105 134.175.59.130 139.199.113.236 139.199.203.114 139.59.173.17 14.1.29.76 142.93.100.148 142.93.160.109 144.217.167.219 148.70.2.198 148.70.63.247 150.109.59.70 150.131.194.143 151.15.100.195 151.80.155.3 154.8.219.151 156.237.129.214 159.89.155.92 164.132.43.198 167.114.234.173 167.99.170.19 176.206.190.148 176.209.174.187 177.11.121.15 178.62.102.53 178.62.94.180 180.167.10.39 180.76.162.45 185.143.223.191 185.148.38.112 185.148.38.

Re: Fail2ban on EFA MENU

Posted: 04 Jan 2019 02:21
by Alleyviper
One other thing, you can also define an e-mail address to send report on banned ips

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
sendmail-whois[name=SSH, dest="emaildestination@domain.tld", sender=fromemail@domain.tld"
logpath = /var/log/maillog
maxretry = 5
bantime = 2592000

Re: Fail2ban on EFA MENU

Posted: 04 Jan 2019 02:24
by Alleyviper
The whois feature is installed with
yum install jwhois

On the email you Will get Something like this:

Hi,

The IP 193.112.55.69 has just been banned by Fail2Ban after
9 attempts against SSH.


Here is more information about 193.112.55.69 :

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '193.112.0.0 - 193.112.255.255'

% No abuse contact registered for 193.112.0.0 - 193.112.255.255

inetnum: 193.112.0.0 - 193.112.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIR's at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
created: 2017-06-29T08:58:00Z
last-modified: 2018-09-04T13:34:33Z
source: RIPE

organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/numbers
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2004-04-17T09:57:29Z
last-modified: 2013-07-22T12:03:42Z
source: RIPE # Filtered

role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.92.6 (ANGUS)

Regards,

Fail2Ban

Re: Fail2ban on EFA MENU

Posted: 05 Jan 2019 18:25
by shawniverson

Re: Fail2ban on EFA MENU

Posted: 09 Jun 2019 18:32
by jamerson
this something i've been willing to have however never got the chance to implente it.
@shawniverson i hope this feature will be availble on the V4 and easy to configure.

Re: Fail2ban on EFA MENU

Posted: 13 Jun 2019 08:59
by shawniverson
Yep :D

Re: Fail2ban on EFA MENU

Posted: 15 Jun 2019 01:58
by Alleyviper
Hi there,

I've been using it for some time now :)

Re: Fail2ban on EFA MENU

Posted: 29 Jul 2019 14:09
by jamerson
Alleyviper wrote: 15 Jun 2019 01:58 Hi there,

I've been using it for some time now :)
Big thank you for this. is this working on the V4 too ?
would be much appreciate it add the first important steps is to make script executable most of users are not a Linux experiences.
and also where to save it ect...
i will work on it this week to get it configured.
would this ban the access to the gui or also to the relay ?

Re: Fail2ban on EFA MENU

Posted: 21 Aug 2019 15:20
by Alleyviper
I have created a folder from where scripts are managed

Code: Select all

mkdir scripts
This is from root, so just login as root and create the folder

Inside this main folder I have created another folder called fail2ban (Having a lot of scripts for specific things I try to be nice and tidy.

First get into the scripts folder

Code: Select all

cd /scripts/
Then Make the fail2ban folder

Code: Select all

mkdir fail2ban
So now I can go into that folder

Code: Select all

cd /scripts/fail2ban/
Create the file

Code: Select all

vi filename.sh
Or

Code: Select all

nano filename.sh
Depending the file editor you prefer
Note: if you are not good with VI editor yet (just being lazy like me) just install nano

Code: Select all

yum install nano -y
Make the file executable

Code: Select all

chmod +x filename.sh
You can then execute it:

Code: Select all

./filename.sh
Adding more ban options is possible but I just chose SSH and SASL for now.

Answering your questionSASL ban is related to mail relay attempts with wrong credentials, so it works :dance: