hello community, i had one question. my ftp account on my ISPCONFIG 2.X Server was hacked. the hacker group have tried the attacks in a period of 3 months, and they have finished the hack. my ftp password was hacked. i have changed this password, and my question are: can fail2ban help me in this situations? it running vsftpd on my server! yes? how i can install and configure it? thank you very much kind regards
Re Hello! I have searched fail2bain but i can't find any thread opened with your name "falco". can you send me the link for the tut? thank you very much!
Re hello! icannot find the tutorial for debian 4.0 with roundcube and ISPConfig-2.2.33... What for a tutorial i can use? can you help me? thank you very much!
as far as I can see you can use this: http://www.howtoforge.com/fail2ban_debian_etch actually after installation you have to copy /etc/fail2ban/jail.conf as /etc/fail2ban/jail.local Code: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local and uncomment lines for services you want fail2ban to watch for in /etc/fail2ban/jail.local after that Code: /etc/init.d/fail2ban restart maybe adjustment to some failregex will be needed failregex is actualy syntax of error in appropriate log file so modifying it to specific needs shouldn't be a problem.
Re Hello!! Thank you for your help! I have installed fail2ban with: apt-get update && apt-get install fail2ban now i have made a copy of the original configuration file: cp /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.local now my config file are: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5 now i have restarted fail2ban with /etc/init.d/fail2ban restart and i have tried with ftp and .htaccess user auth, to lock my ip. i have tried 10 times with user auth on .htaccess and 10 times with vsftpd, but fail2ban doesnt lock my ip. must i configure other files?? here are all what i have done. can you help me? what you mean with regex? thanks! kind regards
as example: you have in your jail.local Code: [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 this means that fail2ban looks into /var/log/auth.log for something that begins with proftpd: pam_unix *something* authentication failure; *something* rhost=<*IP*> if it found this 5 times it will block *IP* from that line in log file. if proftpd creates failed authentication logs in /var/log/auth.log that looks like failregex line then it will block that IP. here is example from my log: Code: Sep 6 19:57:15 my_domain proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=backup rhost=::ffff:79.15.63.24 user=backup and fail2ban response in /var/log/fail2ban.log Code: 2009-09-06 19:58:03,248 fail2ban.actions: WARNING [proftpd] Ban 79.15.63.24
