Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> fail2ban alternative?, doesn't seem to work at all
log69
 Posted: Oct 15 2012, 04:05 PM
Quote Post


SLF Member
***

Group: Members
Posts: 94
Member No.: 1325
Joined: 24-February 12









Hi,

Could anybody recommend a fail2ban alternative for SL 6.x?

I've been trying to set it up for some time now from Epel repo, but the default configuration coming with it is a mess. It's using *apache* dir names instead og httpd etc. It seems also that when it's trying to ban an IP for SSH auth failures, it has no success.

After installing from Epel, the daemon can be started just fine, but it doesn't create any log files either. No /var/log/fail2ban.log file around.

Any idea? Or an alternative? Maybe from the official repo?

Thanks.
PM
^
AndrewSerk
 Posted: Oct 15 2012, 04:45 PM
Quote Post


SLF Moderator
*****

Group: Moderators
Posts: 457
Member No.: 54
Joined: 14-April 11









Hi Log69,

You may find denyhosts works better for ssh. I use it here without complaints from me.
QUOTE

Name        : denyhosts
Arch        : noarch
Version    : 2.6
Release    : 5.el6.rf
Size        : 73 k
Repo        : rpmforge
Summary    : Scan ssh server logs and block hosts
URL        : http://denyhosts.sourceforge.net/
License    : GPL
Description : DenyHosts is a script intended to help Linux system administrators
            : thwart ssh server attacks. DenyHosts scans an ssh server log,
            : updates /etc/hosts.deny after a configurable number of failed
            : attempts from a rogue host is determined, and alerts the
            : administrator of any suspicious logins.


If you are using fail2ban for apache error logs ect. then denyhosts is not what you are looking for.

Hope this helps,
PM
^
log69
 Posted: Oct 15 2012, 07:35 PM
Quote Post


SLF Member
***

Group: Members
Posts: 94
Member No.: 1325
Joined: 24-February 12









@Andrew:

I'll give denyhosts a try, thanks. Even if it handles SSH only, still something.
PM
^
John Cuppi
 Posted: Oct 21 2012, 10:59 PM
Quote Post


SLF Admin Team
***

Group: Admins
Posts: 144
Member No.: 15
Joined: 10-April 11









Don't mean to be off topic but if SSH is being hammered all the time I'm guessing you're running it on the default port.

Change the port to something obscure and you'll barely ever get any attempts, and if you use key based auth or an incredibly strong password, then nobody is going to get in.
PMUsers Website
^
log69
 Posted: Oct 22 2012, 07:56 AM
Quote Post


SLF Member
***

Group: Members
Posts: 94
Member No.: 1325
Joined: 24-February 12









QUOTE (Jcink @ Oct 21 2012, 11:59 PM)
Don't mean to be off topic but if SSH is being hammered all the time I'm guessing you're running it on the default port.

Change the port to something obscure and you'll barely ever get any attempts, and if you use key based auth or an incredibly strong password, then nobody is going to get in.


I always run sshd on a different port and use only key based auth. That's not the reason I wanted to run fail2ban in the first place, but because it also watches the log files of the httpd, dovecot etc. and does the ban based on that too. It is an attractive tool from security viewpoint. Too bad it's not usable by default on SL from epel.
PM
^
inittux
 Posted: Nov 2 2012, 10:38 AM
Quote Post


SLF Geek
****

Group: Members
Posts: 304
Member No.: 953
Joined: 20-October 11









about the ssh port not getting banned. I installed it from the rpmforge repo and when I tried typing in the wrong password for my server running fail2ban check on the ssh port it wouldn't block either. I found the problem in my situation that was, in the config file /etc/fail2ban/jail.conf the ssh-iptables was checking the /var/log/sshd.log , I changed the log to check to /var/log/secure and restarted fail2ban and now fail2ban bans the ip when trying to connect with a wrong password/username too many time. Maybe that's why it's not creating any logs in /var/log/fail2ban.log? because it's not reading the correct log file?

--------------------
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll