You are not logged in.
i noticed in my auth.log that i was getting alot of failed logins. anyone know how to auto ban an ip that that has more than a certain number of failed login attempts?
Offline
pacman -Ss fail2ban
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
thanks! i just installed it but how can i tell if this is working. i just tried to break into my own system and i wasn't banned after several attempts
i have no idea how to use this thing
Last edited by murfMan (2009-11-12 01:47:58)
Offline
Well there are a couple things you need to do after installation. Check out /etc/fail2ban/jail.conf, this is the file where you tell fail2ban what to look for and what to do. The file pretty much explains itself. I have the following section for ssh:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=myEmail@address.com, sender=myEmail@address.com]
logpath = /var/log/auth.log
maxretry = 5
I think I had to manually set the logpath and enabled sections the first time I installed. Also notice that it is configured to send me an email everytime it bans an ip. One more tip, don't forget to add it into your daemons list and actually start it
Edit: To see if it is working, you can also check the log file which is defined in /etc/fail2ban/fail2ban.conf. It should read something like this on start:
2009-11-09 22:16:37,905 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2009-11-09 22:16:37,906 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller
2009-11-09 22:16:38,175 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2009-11-09 22:16:38,177 fail2ban.filter : INFO Set maxRetry = 5
2009-11-09 22:16:38,182 fail2ban.filter : INFO Set findtime = 600
2009-11-09 22:16:38,184 fail2ban.actions: INFO Set banTime = 600
Last edited by kermana (2009-11-12 02:06:13)
Offline
sweet works great! but i can't seem to get the sendmail to work. is sendmail able to send to a gmail account? or is it just local mail? i have postfix installed.
Last edited by murfMan (2009-11-12 02:44:16)
Offline
did you check the mail.log file? it should give you an idea why the mail is rejected. I think it might be because of restrictions in /etc/postfix/main.cf . Here is what I have:
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
permit
...
mynetworks = 127.0.0.0/8
I think permit_mynetworks should allow you to send from localhost. But I suck in postfix configuration As far as I know, the sample above may be evil but I haven't seen any spam being relayed in the logs, so far so good. Also I use fail2ban to check for brute force attack on smtp too. Here is the part of jail.conf in case you would want it :
(note that I use sasl authentication as wiki explains)
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=myEmail@addy.com]
logpath = /var/log/mail.log
I get an avarage of 2 bans for ssh per day and once in a while someone smart tries to hack into smtp too ... So its a good idea to protect both.
Last edited by kermana (2009-11-12 03:00:14)
Offline
do you have a port forwarded for smtp? i don't. but if i telnet into my mailserver i am able to send / receive
mail
Offline
Well, I have this setup on a dedicated server a few hundered kilometers away with its own domain. It is not behind a firewall like a home router so portforwarding is not an issue (or even an option) for me. I have iptables setup as a firewall solution. From what I understand you have it in your home network ? If it is in your home network, many email services like gmail, as far as I know, try to resolve your ip to a domain, if it doesn't get a proper domain resolving to that ip they reject the mail. I believe they do this to prevent spam from badly configured mail servers.
Last edited by kermana (2009-11-12 03:36:14)
Offline
i can receive mail in my gmail account from postfix using telnet ... but not sendmail. yes, this server is on my local network
Last edited by murfMan (2009-11-12 03:33:58)
Offline
For a different, and much simpler, way of handling this, you can change the port sshd listens on. Smart bad guys can still find it, but it stops 99% of all the script kiddies and other zombie attackers. Since I did this 6 months ago I haven't seen a single attack.
Offline
Well, I really don't know what the mail problem might be then
Offline
i got it working thank you for all the help.
Offline