Friday, July 6, 2018

Fail2Ban Centos 7.5 Installation

Install fail 2 Ban

1. yum install epel-release

2. sudo yum install fail2ban


Configure Fail2ban

1. sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3. sudo vi /etc/fail2ban/jail.local
4. For centos7 change backend = systemd
5. put [sshd] 
   enabled = true
6. Add the following lines


##To block failed login attempts use the below jail. 
 [apache] 
 enabled = true 
 port = http,https 
 filter = apache-auth 
 logpath = /var/log/apache2/*error.log 
 maxretry = 3 
 bantime = 600 
 ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to request suspicious URLs, use the below jail. 
 [apache-overflows] 
 enabled = true 
 port = http,https 
 filter = apache-overflows 
 logpath = /var/log/apache2/*error.log 
 maxretry = 3 
 bantime = 600 
 ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to search for scripts on the website to execute, use the below jail. 
 [apache-noscript] 
 enabled = true 
 port = http,https 
 filter = apache-noscript 
 logpath = /var/log/apache2/*error.log 
 maxretry = 3 
 bantime = 600 
 ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to request malicious bot, use below jail. 
 [apache-badbots] 
 enabled = true 
 port = http,https 
 filter = apache-badbots 
 logpath = /var/log/apache2/*error.log 
 maxretry = 3 
 bantime = 600 
 ignoreip = 192.168.15.189
 
 ##To stop DOS attack from remote host. [http-get-dos] 
 enabled = true 
 port = http,https 
 filter = http-get-dos 
 logpath = /var/log/apache*/access.log 
 maxretry = 400 
 findtime = 400 
 bantime = 200 
 ignoreip = 192.168.15.189 
 action = iptables[name=HTTP, port=http, protocol=tcp]
 
 ##To block the failed login attempts on the SSH server, use the below jail. 
 [ssh] 
 enabled = true 
 port = ssh 
 filter = sshd 
 logpath = /var/log/auth.log 
 maxretry = 3 
 bantime = 600 
 ignoreip = 192.168.15.189
Save the file when you are finished.
Next, you will also need to create the filter file /etc/fail2ban/filters.d/http-get-dos.conf.
sudo nano /etc/fail2ban/filters.d/http-get-dos.conf
# Fail2Ban configuration file 
 [Definition]
 
 # Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
 # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex 
 ignoreregex =
sudo systemctl restart fail2ban
sudo iptables -L


sudo fail2ban-client status


sudo fail2ban-client status sshd
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)