Changes

Jump to navigation Jump to search
2,491 bytes added ,  12:47, 22 December 2013
m
Line 77: Line 77:  
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail
 
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail
 
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)
 
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)
 +
 +
After changing one of these settings, you need to apply it:
 +
signal-event fail2ban-conf
 +
 +
===Services===
 +
The following services are monitored, and fail2ban will ban client IP for '''BanTime''' if more than '''MaxRetry''' authentication failure occure in less than '''FindTime'''
 +
 +
*ssh
 +
*dovecot (only on SME9, or if you run [http://smeserver-dovecot https://wikit.firewall-services.com/doku.php/smedev/dovecot])
 +
*qpsmtpd. If a remote server send you too many mails which qpsmtpd rejects, it's probably spammer, so Fail2ban will blacklist it. MaxRetry is x3 for this service, so with the default config, a remote server will be blacklisted if 9 mails are rejected in less than 15 minutes
 +
*httpd-e-smith. The standard http server. 3 different filters check apache logs:
 +
  * noscripts: check client which ask for scripts which are not available on your server. It's usually script-kiddies trying to exploit security vulerabilities
 +
  * scan: another set of filter for popular scans (phpMyAdmin, wp-login, admin area etc...)
 +
  * auth: will check for standard authentication failure
 +
*pam. This will check a generic authentication failure. Everything which uses pam should work
 +
*[[SOGo]]. Check SOGo logs for failed authentications
 +
*[[LemonLDAP::NG|LemonLDAP-NG]]. Check system logs for auth failure on LemonLDAP::NG portal
 +
*ftp. Check auth failure on your FTP daemon
 +
*[[Ejabberd]]. Check auth failure against EJabberd
 +
 +
Each filters will disable itself if the corresponding service is disabled. You can also disable specific filter if you want. For example, if you want to disable Apache filters:
 +
 +
db configuration setprop httpd-e-smith Fail2Ban disabled
 +
signal-event fail2ban-conf
 +
 +
===Selective bans===
 +
Fail2Ban will do its best to do a selective ban. For example, if 3 auth failure against ssh are detected, only tcp port 22 (or any other port you choosed for SSH) will be blocked. Same for httpd-e-smith, SOGO, LemonLDAP::NG which will only blacklist tcp ports 80 and 443, qpsmtpd will block tcp ports 25 and 465, dovecot will block 143 and 993 etc...
 +
 +
There's only two ways to be completly locked (all port/protocol):
 +
* pam. As this is a generic file, it's not possible to check which service was used when an auth failure occured, so the entire client IP will be blacklisted
 +
* recidive. This is a special filter. It monitors fail2Ban logs, and blacklist client IP which gets locked several time. If a client is locked out 5 times in 24 hours, it'll be completly blacklisted for one full week
    
===Use Fail2ban===
 
===Use Fail2ban===

Navigation menu