[ubuntu-uk] fail2ban & custom iptables rules
Tyler J. Wagner
tyler at tolaris.com
Thu Jun 10 00:15:36 BST 2010
Hi Chris,
It certainly is. Attached are samples of my iptables-restore and fail2ban
configs for hardy-based servers. My iptables config creates the fail2ban-ssh
chain, so I've changed the iptables-multiport fail2ban action so that it
doesn't. And I prefer that fail2ban only block NEW ssh sessions, not all
existing, when it blocks an IP (good when I'm logged in and another staff
person screws up logging in 5 times).
Regards,
Tyler
On Wednesday 09 June 2010 23:57:47 Chris Rowson wrote:
> Hi folks,
>
> I've been experimenting with using fail2ban to protect Internet facing
> servers.
>
> I was wondering if it is possible to implement your own iptables rules
> alongside fail2ban. For instance, I'd probably want to set up an
> iptables rule that drops any inbound traffic not going to ICMP, HTTP,
> HTTPS or SSH.
>
> Does anyone know if it's possible to use your own rules alongside fail2ban?
>
> Cheers,
>
> Chris
>
--
"Political language - and with variations this is true of all political
parties, from Conservatives to Anarchists - is designed to make lies
sound truthful and murder respectable, and to give an appearance of
solidity to pure wind."
-- George Orwell
-------------- next part --------------
# Fail2Ban configuration file
#
# 2008-07-31 tyler - modified for Talia use.
# Talia firewalls already have fail2ban chains and call them in the
# appropriate order.
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# not needed because our local firewall setup ensures chain exists
#actionstart = iptables -A fail2ban-<name> -j RETURN
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -F fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
# not needed because our local firewall setup ensures sane environment
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
-------------- next part --------------
# 2008-07-24 tyler - customised Fail2Ban jail configuration file
#
# Changes here override defaults in jail.conf. However, that file
# may be replaced during upgrade.
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 6
banaction = iptables-multiport
protocol = tcp
action = %(action_)s
# All servers ban SSH.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
# Enable the following on public mail servers only.
# Covers both POP/IMAP and webmail cracking.
# For web mail failures
[pam-generic]
enabled = false
filter = pam-generic
port = http,https
logpath = /var/log/auth.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables.up.rules
Type: text/x-iptables
Size: 755 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20100610/ac2e29b7/attachment.bin
More information about the ubuntu-uk
mailing list