User Tools

Site Tools


lock_attempts_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
lock_attempts_ssh [2014/09/01 03:24] k0kadlock_attempts_ssh [2014/09/01 03:32] (current) k0kad
Line 4: Line 4:
 ~K0KAD ~K0KAD
  
-**Step One—Install Fail2Ban**+===== Step One—Install Fail2Ban =====
  
 Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository: Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:
Line 14: Line 14:
 ''yum install fail2ban'' ''yum install fail2ban''
  
-**Step Two—Copy the Configuration File**+ 
 +===== Step Two—Copy the Configuration File =====
  
 The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it. The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.
Line 21: Line 22:
 After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off. After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.
  
-**Step Three—Configure defaults in Jail.Local**+===== Step Three—Configure defaults in Jail.Local ===== 
 Open up the the new fail2ban configuration file: Open up the the new fail2ban configuration file:
  
Line 54: Line 56:
 Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned. Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
  
-Step Four (Optional)Configure the ssh-iptables Section in Jail.Local+===== Step Four (Optional) ===== 
 +Configure the ssh-iptables Section in Jail.Local
 The SSH details section is just a little further down in the config, and it is already set up and turned on. Although you should not be required to make to make any changes within this section, you can find the details about each line below. The SSH details section is just a little further down in the config, and it is already set up and turned on. Although you should not be required to make to make any changes within this section, you can find the details about each line below.
  
-[ssh-iptables]+''[ssh-iptables]
  
 enabled  = true enabled  = true
 +
 filter   = sshd filter   = sshd
 +
 action   = iptables[name=SSH, port=ssh, protocol=tcp] action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]            sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
 +
 logpath  = /var/log/secure logpath  = /var/log/secure
-maxretry = 5+ 
 +maxretry = 5'' 
 Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word "false". Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word "false".
  
Line 75: Line 83:
  eg. iptables[name=SSH, port=30000, protocol=tcp]  eg. iptables[name=SSH, port=30000, protocol=tcp]
 You can change the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor. You can change the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor.
- 
-If you have a mail server set up on your virtual private server, Fail2Ban can email you when it bans an IP address. In the default case, the sendmail-whois refers to the actions located at /etc/fail2ban/action.d/sendmail-whois.conf. 
  
 log path refers to the log location that fail2ban will track. log path refers to the log location that fail2ban will track.
Line 82: Line 88:
 The max retry line within the SSH section has the same definition as the default option. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here. The max retry line within the SSH section has the same definition as the default option. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here.
  
-Step Five—Restart Fail2Ban+===== Step Five—Restart Fail2Ban ===== 
 After making any changes to the fail2ban config, always be sure to restart Fail2Ban: After making any changes to the fail2ban config, always be sure to restart Fail2Ban:
  
lock_attempts_ssh.txt · Last modified: 2014/09/01 03:32 by k0kad