Fail2Ban or another brute force blocking software

41 posts / 0 new
Last post
#1 Sun, 03/21/2010 - 11:25
fakemoth Pro Licensee
fakemoth's picture

Fail2Ban or another brute force blocking software

I'm hoping you are considering integrating a module for Fail2ban - it would be really usefull for all of us, everybody hates those non sense brute force attacks. And it seems the simplest, efficient and easiest way to achieve that. In your tradition sort to speak.

Thank you. Maybe a good ideea if it could be installled by the Virtualmin script?

Fri, 03/26/2010 - 12:34
Dim Git

I will second that proposal.

I run Fail2Ban it is very effective and very flexible.

Thanks for reading

Sun, 03/28/2010 - 11:30 (Reply to #2)
AllanIT

I joined to ask for this very feature.

Sun, 03/28/2010 - 13:46
joachimb

I too would like to see this feature.

Mon, 03/29/2010 - 01:42
fakemoth Pro Licensee
fakemoth's picture

Any moderator/admin can drop a few words about this?

Don't take the name of root in vain...

Fri, 05/14/2010 - 14:52
jdamron

Hey all we are now working on this module for everyone.. bare with us it will be out by the end of the month.. i am working on this and will have it posted as soon as it is done.. any question you can drop us a line at sales@lynkerworld.com...

Lynkerworld admins.. http://www.lynkerworld.com/

Tue, 11/23/2010 - 13:09
daysonp

Any update on this?

Mon, 11/29/2010 - 21:59 (Reply to #7)
jdamron

Nothing yet.. had to fire coder.. have another coder looking into it for me.. any one willing to help let me know.. i will have our new coder get with you.. about it..

Wed, 12/15/2010 - 11:10
PlayGod Pro Licensee

ConfigServer Security & Firewall has a Webmin module. It is fairly easy to implement. http://www.configserver.com/cp/csf.html

Configserver handles SPI firewall and login failures.

CSF also has some other useful (though sometimes overkill/annoying) notification features. However it is simple to configure and has good documentation in the config file (which can easily be edited via the Webmin module)

Thu, 12/16/2010 - 16:27 (Reply to #9)
PlayGod Pro Licensee

Add OSSec and you will cover most of what Fail2ban can monitor, plus rootkits. It plays well with CSF. http://www.securecentos.com/extra-security/install-ossec/ (install ossec-hids-latest.tar.gz) http://www.securecentos.com/howto-configure-ossec-for-csf/

Wed, 06/08/2011 - 18:09
sfatula

We use fail2ban on more than 50 servers, and, it works great. Can't manage from webmin, but, pretty easy to setup and install. It would be nice if it was setup by virtualmin install. I add my vote also.

Thu, 07/14/2011 - 01:18
fakemoth Pro Licensee
fakemoth's picture

Anyone? This is becoming a very old, lonely thread...

Don't take the name of root in vain...

Sun, 08/21/2011 - 16:28
nosco

I use fail2ban on one server but instead of other solution I decided to go with APF + BDF from http://www.rfxn.com/ fail2ban is python based and need more resources (read CPU) than APF+BDF conbination.

Instalation is more than simple.

Wed, 08/31/2011 - 14:37
Jerry Hudgins

FWIW, I'd certainly appreciate integrated Webmin/Virtualmin support of fail2ban, too.

Mon, 06/04/2012 - 10:20
wocul

+1, fail2ban support would definitely be cool

As would, rkhunter

Tue, 08/28/2012 - 20:40
eddieb

fail2ban please!

Wed, 04/10/2013 - 19:51
HarryZink

Seems obvious there's a fair amount of requests and support for providing a fail2ban webmin/virtualmin module - yet despite this thread being 3 years old, not a single admin / virtualmin reply about it.

What gives, guys? I consider fail2ban to be an incredibly valuable way to prevent brute force attacks, and by having it integrated with virtualmin it would make it easy to block 80% of both security compromises, if not serious performance hogs (everytime a brute force attack strikes, it triggers tons of :oadAvg warnings - fail2ban would effectively kick and block those before they become a problem.

A simple user-interface, with a list of services to monitor, as well as adding custom log files, would be all that is needed.

Is this something to hope for?

Sun, 07/14/2013 - 12:45 (Reply to #17)
greywolve

Hi, I was also searching for a webmin module which can do the configuration ... and i haven't found one. But I decided to write my own one ... and as soon as it's finished I will share the module. But it will still take some time until I've finished the programming part.

But everyone is welcome to support my work ... :)

Thu, 10/31/2013 - 09:49
garmahis

Any updates on adding Fail2ban support?

Thu, 10/31/2013 - 09:57
nosco

I don't think so, but we completely switch to ubuntu servers and CSF+LFD ...

Thu, 10/31/2013 - 11:31
Locutus

I can also recommend CSF/LFD. I have it in production use, and there's a Webmin module for it.

Thu, 11/14/2013 - 01:02
Sesso

FTP logins are not getting banned on my server so thats why I am looking for fail2ban

csf is only blocking smtp failures and ssh.

Thu, 11/14/2013 - 01:35
fakemoth Pro Licensee
fakemoth's picture

Usually someone from the *min team jumps to answer a thread, what is happening here? This is such an ancient thread; I don't think this is too much for us, to expect an answer from the devs/mods...

There is nothing better than fail2ban, and people are asking for this because sometimes it is a pain to configure. I for myself managed to get it work very easy on CentOS 5 and 6 with ssh and proftpd; but we will need also at least the mail protection - gave up on that a long time ago, never managed to make fail2ban read the damn log files properly. And it does so much more. Would be nice also to get it backed up in the Webmin area, most of the times I forget about the little wonder fail2ban and I am not adding the files to the extra Webmin backup stuff - have to configure it again.

Also it would be usefull to get it to work differently for different domains, via Virtualmin, to stop hits in the web applications.

This is all because sometimes the pattern of the response and location of the logs differ from distribution to distribution, so no "how to" will help us here. It is just an an endless trial and error 'till you figure things out or drop the issue...

Don't take the name of root in vain...

Thu, 11/14/2013 - 04:24
Locutus

@Sesso: Are you using Ubuntu/Debian by chance? The default configuration for LFD has an incorrect FTP logfile set at least on Ubuntu.

Check your /etc/csf/csf.conf file, and near the bottom, you need these for Virtualmin on Ubuntu:

# Log file locations HTACCESS_LOG = "/var/log/apache2/error.log" MODSEC_LOG = "/var/log/apache2/error.log" SSHD_LOG = "/var/log/auth.log" SU_LOG = "/var/log/syslog" FTPD_LOG = "/var/log/proftpd/proftpd.log" SMTPAUTH_LOG = "/var/log/mail.log" POP3D_LOG = "/var/log/mail.log" IMAPD_LOG = "/var/log/mail.log" IPTABLES_LOG = "/var/log/syslog" SUHOSIN_LOG = "/var/log/syslog" BIND_LOG = "/var/log/syslog" SYSLOG_LOG = "/var/log/syslog" WEBMIN_LOG = "/var/log/auth.log"

In addition, if you want to block Postfix SMTP Auth errors (which CSF does not catch by default), you need this in /etc/csf/csf.conf:

CUSTOM1_LOG = "/var/log/mail.log"

and this in /etc/csf/regex.custom.pm, between the "do not edit before" and "do not edit after" lines:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) { return ("Failed SMTP AUTH from",$1,"csmtpautherr","6","25","3600"); }

"csmtpautherr" is a user-defined label for this custom check. "6" is the number of failures at which the check should trigger. 25 is the port to block, and 3600 the temp block time in seconds.

CSF/LFD works just as well as fail2ban. It might not be just as flexible in terms of jail behavior, but in turn it is much easier to configure, and has a nicely working Webmin plugin, and tons of other features.

Thu, 11/14/2013 - 05:46 (Reply to #24)
nosco

@Locutus, thanks ! Great,

one question. If I want to block / check ports 586 and 465 for smtp how could I modify this rule to do so? Or what you suggest?

Sat, 12/07/2013 - 21:13 (Reply to #25)
sparticle

Locutus,

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix\/smtpd[[[:digit:]]+]: warning: [-.[:alnum:]]+[([.[:digit:]]+)]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) { return ("Failed SMTP AUTH from",$1,"csmtpautherr","6","25","3600"); }

Error:

Stopping lfd: Done Starting lfd:Having no space between pattern and following word is deprecated at /usr/local/csf/bin/regex.custom.pm line 35. Unmatched [ in regex; marked by <-- HERE in m/^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [ <-- HERE -.

This stops lsf from starting. I have no idea what the problem with your expression is. Can you assist please.

Cheers Spart

Thu, 11/14/2013 - 05:52
Locutus

LFD is not "port dependent" in terms of checking, it just matches logfile lines against regular expressions.

If you want to block ports 586 and 465 additionally/instead of 25, you can just replace the "25" with e.g. "25,586,465" in the rule. You can also configure LFD to block the IP completely and not only on specific ports (that's what I use normally - why would I want a dictionary attacker to still have access to other ports :) ).

Thu, 11/14/2013 - 05:56
nosco

OK, so can I put "*" for port block to block on all ports?

Thu, 11/14/2013 - 06:11
Locutus

Not sure, you might be able to use "1:65535" which is the usual CSF syntax to specify port ranges. Might want to check the documentation though.

Having blocks apply to all ports is normally done in CSF config globally though; check the config file, it has explanation and examples for that.

Wed, 11/27/2013 - 19:35
jimdunn

Locutus, my Debian 7 "logfile" area of CSF.CONF looks like this:

# Log file locations
HTACCESS_LOG = "/var/log/apache2/error.log"
MODSEC_LOG = "/var/log/apache2/error.log"
SSHD_LOG = "/var/log/auth.log"
SU_LOG = "/var/log/messages"
FTPD_LOG = "/var/log/messages" <= yep, this one is wrong
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/mail.log"
IMAPD_LOG = "/var/log/mail.log"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/auth.log"
CUSTOM1_LOG = "/var/log/messages"
...

I'm not sure about all those "syslog" entries of yours?? : )

Fri, 11/29/2013 - 01:42 (Reply to #30)
nosco

Hi Jimdunn,

best way for you it to go to that folder /var/log and to check those files ;), and you can also check each service setting for log file.

Thanks to Locutus I wasn't even thinking about this before his comments...

Thu, 11/28/2013 - 06:43
Locutus

Mine is for Ubuntu, there the file is called syslog. Of course it may be different for you. :)

Sun, 12/29/2013 - 17:15
wocul

ossec: +1

Wed, 01/01/2014 - 05:41
sgrayban Pro Licensee

Denyhosts is a pretty good IDF..

Debian already has it in the repos.

http://denyhosts.sourceforge.net/

Sat, 01/04/2014 - 23:05
wocul

so maybe it would be better to come up with a generic IDS module/interface so that volunteers can add support for their preferred system (fail2ban, DenyHosts or ossec) ?

Slightly offtopic: Personally, I would consider IDS info to be at least as relevant SMART info (or firewall/iptable logs!), so it should ideally also be integrated/shown on the webmin index page using some basic summary (green/red status, last events) analogous to how SMART info is currently shown.

OpenVZ events (especially beancounter stuff) should probably be also displayed there (for containers, but also the HW node) ?

Wed, 04/23/2014 - 09:04
sgrayban Pro Licensee

+1 for a fail2ban module

Thu, 05/22/2014 - 15:33
i3inary

Please consider this request.

Fri, 05/23/2014 - 14:14
jimdunn

Locutus,

I'm having the same error from LFD after trying the following regex.custom.pm entry:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix\/smtpd[[[:digit:]]+]: warning: [-.[:alnum:]]+[([.[:digit:]]+)]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$/)) {
return ("Failed SMTP AUTH from",$1,"csmtpautherr","6","25","3600");
}

Do you have any clues? Here's the error:

Having no space between pattern and following word is deprecated at /usr/local/csf/bin/regex.custom.pm line 36.
Unmatched [ in regex; marked by <-- HERE in m/^\w{3} [ :[:digit:]]{11} [.[:alnum:]-]+ postfix/smtpd[[[:digit:]]+]: warning: [ <-- HERE -.

Tue, 07/22/2014 - 09:50
ashleydrees

I am just setting up my first Virtualmin Pro server... and one of the first things i am doing will be setting Fail2Ban 9 up.

Tue, 07/22/2014 - 04:57
Mido

Thank you for making this module a reality.

I think it would be great to add jail.local to the "Edit Config Files" list, it is more appropriate to use it instead of jail.conf, since the last one will be over-written in case of upgrading the software.

Sun, 11/16/2014 - 00:55
fakemoth Pro Licensee
fakemoth's picture

We did it! 5 years later, but still :) One down, 3 more to go, for a perfect *min experience:

  • the Java file manager must be replaced; rumor says it will;

  • the Java client for ssh must be replaced; same;

  • themes; in the making.

I truely am the Nostradamus of this :)

Too long though, doing everything by hand now fail2ban related. Though I did hit a wall with my firewall and fail2ban, who sort to speak - fails to ban. Will post about this.

Don't take the name of root in vain...