Copyright (C) 2008-2021 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
If you allow services like ssh in the internet, probably you now log-entries like
[...]
Jul 17 15:18:56 silent-gabosh sshd[4401]: Invalid user test4 from XXX.XXX.XXX.XXX
Jul 17 15:18:58 silent-gabosh sshd[4405]: Invalid user test5 from XXX.XXX.XXX.XXX
Jul 17 15:19:00 silent-gabosh sshd[4411]: Invalid user test6 from XXX.XXX.XXX.XXX
Jul 17 15:19:02 silent-gabosh sshd[4417]: Invalid user test7 from XXX.XXX.XXX.XXX
Jul 17 15:19:04 silent-gabosh sshd[4421]: Invalid user test8 from XXX.XXX.XXX.XXX
Jul 17 15:19:05 silent-gabosh sshd[4427]: Invalid user test9 from XXX.XXX.XXX.XXX
Jul 17 15:19:07 silent-gabosh sshd[4431]: Invalid user test10 from XXX.XXX.XXX.XXX
Jul 17 15:19:09 silent-gabosh sshd[4435]: Invalid user admin1 from XXX.XXX.XXX.XXX
Jul 17 15:19:11 silent-gabosh sshd[4439]: Invalid user admin2 from XXX.XXX.XXX.XXX
Jul 17 15:19:13 silent-gabosh sshd[4443]: Invalid user admin3 from XXX.XXX.XXX.XXX
Jul 17 15:19:15 silent-gabosh sshd[4447]: Invalid user admin4 from XXX.XXX.XXX.XXX
Jul 17 15:19:17 silent-gabosh sshd[4451]: Invalid user admin5 from XXX.XXX.XXX.XXX
Jul 17 15:19:19 silent-gabosh sshd[4455]: Invalid user admin6 from XXX.XXX.XXX.XXX
[...]
If you want to use this solution you need the following howto(s) finished:
emerge net-analyzer/fail2ban emerge net-firewall/iptables
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/cron.hourly/f2bcheck
Changed on 07.06.10I realized that fail2ban stops working sometimes (why ever). So built this small check CronJob
#!/bin/bash if ! ps ax | grep fail2ban | grep -v grep >/dev/null then echo "NOT RUNNING `date`" >>/var/log/fail2bancheck.log /etc/init.d/fail2ban stop >/dev/null 2>/dev/null /etc/init.d/fail2ban zap >/dev/null 2>/dev/null sleep 2 while ps ax | grep -v grep | grep -q fail2ban do echo -n "." sleep 1 done rm -f /var/run/fail2ban/fail2ban.sock /etc/init.d/fail2ban start >/dev/null 2>/dev/null fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/action.d/sendmail-common.local
Changed on 25.02.14No mail at startup/shutdown
[Definition] actionstart = actionstop =
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.conf
Changed on 25.02.14Ignore local Networks
#ignoreip = 127.0.0.1/8 ::1After change
ignoreip = 127.0.0.1/8 my.lan.network.ip/16 172.24.0.0/16 172.25.0.0/16 79.255.254.199 2003:f2:d7ff:a2:548f:10f7:f60f:6006
Destination eMail
destemail = mail@example.comAfter change
destemail = mail@example.com
Sender eMail
sender = root@<fq-hostname>After change
sender = fail2mail@example.com
Sets Default action to Mail, Whois, Logs
action = %(action_)sAfter change
action = %(action_mwl)s
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.d/gabosh.conf
Changed on 25.02.14Some jails for different services
#### SSH #### [sshd] enabled = true port = ssh logpath = /var/log/sshd.log bantime = 5m #### MAIL #### #[postfix] #enabled = true #port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 #logpath = /var/log/maillog.log #bantime = 60m [postfix-rbl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log maxretry = 1 bantime = 60m [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m [cyrus-imap] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m [sieve] port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m #### WEB #### [apache-auth] enabled = true port = http,https logpath = /var/log/apache2/*log bantime = 60m [apache-badbots] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-botsearch] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-fakegooglebot] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-overflows] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-pass] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-shellshock] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [php-url-fopen] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-noscript] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 6 bantime = 60m #### CHAT #### [ejabberd-auth] enabled = true port = 5222 logpath = /var/log/jabber/ejabberd.log bantime = 60m
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add fail2ban
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.