Fail2ban Install and Go


                                           Create 20th Feb. 2013
                                                By  Eiji Hamano

1. Dwonload  fail2ban-sdist-0.8.5.tar.gz


     url is  https://github.com/fail2ban/fail2ban/tags
         
     Crick "tar.gz" of "September 24, 2011 sdist/0.8.5".

     like  as  
                      































2.  Recompress and Compile 


  Upload "fail2ban-sdist-0.8.5.tar.gz" to /tmp directry.
  Then do following ;
    
     > mkdir  /usr/share/fail2ban  

     > cd  /tmp ; 
     > mv  fail2ban-sdist-0.8.5.tar.gz   /usr/share/fail2ban/  

     > cd  /usr/share/fail2ban/  
     > tar -zxvPpf   fail2ban-sdist-0.8.5.tar.gz  

     > cd  fail2ban-sdist-0.8.5/  
     > ./setup.py install 


  If you success, the message come as;

     >> Please do not forget to update your configuration files.
     >> They are in /etc/fail2ban/.

  So, let's define the fail2ban!

     > cd   /etc/fail2ban 
     > cp   jail.conf    jail.conf@org       ## backup original     
                             
  Modify "jail.conf" or you can upload a completely new one.
  But you must modify "dest=you@example.com" fields.



--------------- new "jail.conf" start --------------------------------

[DEFAULT]
# "bantime"  is the number of seconds that a host is banned.
# "findtime" is ; A host is banned if it has generated "maxretry"  
#                 during the last "findtime" seconds.
ignoreip = 127.0.0.1/8
bantime  = 600
findtime = 600
maxretry = 3
backend = auto


[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban ]
logpath  = /var/log/secure
maxretry = 4
bantime  = 10800
findtime = 600


[proftpd-iptables]
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com, sender=fail2ban ]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
findtime = 600


[dovecot]
enabled  = true
filter   = dovecot
action   = iptables-multiport[name=DOVECOT, port="imap,imaps,pop3,pop3s", protocol=tcp]
           sendmail-whois[name=DOVECOT, dest=you@example.com, sender=fail2ban ]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800
findtime = 600

--------------- new "jail.conf" enf --------------------------------


3.  Go


   Then you can start fail2ban!!

     >  /usr/bin/fail2ban-client  start


   And if you want to stop

     >  /usr/bin/fail2ban-client stop 

   Probably you must be surprised by receiving emails from fail2ban.
   The emails will tell you many attacks out of your machine.





4.  More 


    In this case, we did not modify "filters" of fail2ban.
    The filters reside on /etc/fail2ban/filter.d/xxxx.conf.

    Followings are filters of this case.
       /etc/fail2ban/filter.d/sshd.conf
       /etc/fail2ban/filter.d/proftpd.conf
       /etc/fail2ban/filter.d/dovecot.conf  

    In this case, we used original filters.
    
    If you want to perform Fail2ban more precisely, 
    you might have to make [BlueOnyx:00596] to reference.
    But I'm not sure, it's too old. Jeff might tell you advice.  
    


@
FIN