Results 1 to 6 of 6

Thread: fail2ban

  1. #1

    fail2ban

    Well, I took the plunge and got one of these beauties and set-up the wonderful custom firmware...

    Anyway... today I was checking the logs and I seem to be getting a brute force attempt on the vsftp server from austria (or at least that's where the zombie computer is). I've been trying to get fail2ban up and running. I've gotten python2.5 running and the fail2ban software installed and it will launch.

    Here's the problem. fail2ban monitors the log files. It wants paths to the log files. In the vsftpd.conf file it seems to be set to log all events (including the all important login failed ones) in the syslog. Now, editing the vsftpd.conf doesn't seem to work for me (is it in a protected space?) and I can't seem to find syslog.log in any of the expected locations.

    I'm not too keen on killing vsftpd and re-launching with my own .conf file in a different location that is set to generate a .log file. I'd rather just have fail2ban peruse the syslog instead. So, my question now is, where is the bloody syslog.log? The web GUI seems to be able to read it so I'm assuming that the file exists somewhere (syslogd is also running in the process list).

    Any help would be appreciated.
    Last edited by medsource; 14-01-2007 at 09:38.

  2. #2
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52

    fail2ban

    Quote Originally Posted by medsource View Post
    Here's a list of 'wants.' Granted I've got most of these already running ...

    Fail2ban for disabling bruteforce attacks
    ...
    could you please explain how you've built and installed fail2ban on your router ?

    brgds

    --
    tiwag

  3. #3
    Quote Originally Posted by tiwag View Post
    could you please explain how you've built and installed fail2ban on your router ?

    brgds

    --
    tiwag
    Firstly you need python installed (2.4 and 2.5)

    Then download the fail2ban sw from their server (http://www.fail2ban.org/wiki/index.php/Main_Page)

    Install it (you'll have to mod the setup.cfg script to run python2.5 as the environment and to the opt directory)

    After that you need to do some tweaking...

    To get it to run you need to modify the three core files: fail2ban-client, fail2ban-server and fail2ban-regex (they should be in the /opt/bin directory... if not then move them there).

    Each file references the /usr/share/fail2ban directory for the core components (it's like line 30ish). All you have to do is replace the /usr/share/fail2ban in each of the three files with /opt/fail2ban (which should be your install directory). To test if it's running ok all you have to do is type fail2ban-client -d (you don't need the python statement as it was set at install when you modified setup.cfg to use python2.5 as the environment).

    If it works it will display the current jail.conf settings. Then if your jail.conf settings are ok you can launch the application by typing fail2ban-client start (with the -c /[dir]/ if you didn't switch the location of the config files in the fail2ban-client file in the /opt/bin directory). Also make sure that the logging is to the correct location (I put it to the syslog) and that the logging level is correct (3 for runtime 4 for debug).

    Hope this gets you off the ground.

  4. #4
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52

    fail2ban

    Quote Originally Posted by medsource View Post
    Firstly you need python installed (2.4 and 2.5)

    Then download the fail2ban sw from their server (http://www.fail2ban.org/wiki/index.php/Main_Page)

    Install it (you'll have to mod the setup.cfg script to run python2.5 as the environment and to the opt directory)

    After that you need to do some tweaking...

    To get it to run you need to modify the three core files: fail2ban-client, fail2ban-server and fail2ban-regex (they should be in the /opt/bin directory... if not then move them there).

    Each file references the /usr/share/fail2ban directory for the core components (it's like line 30ish). All you have to do is replace the /usr/share/fail2ban in each of the three files with /opt/fail2ban (which should be your install directory). To test if it's running ok all you have to do is type fail2ban-client -d (you don't need the python statement as it was set at install when you modified setup.cfg to use python2.5 as the environment).

    If it works it will display the current jail.conf settings. Then if your jail.conf settings are ok you can launch the application by typing fail2ban-client start (with the -c /[dir]/ if you didn't switch the location of the config files in the fail2ban-client file in the /opt/bin directory). Also make sure that the logging is to the correct location (I put it to the syslog) and that the logging level is correct (3 for runtime 4 for debug).

    Hope this gets you off the ground.
    thanks medsource,

    you could post your modified fail2ban files package here,
    then we wouldn't need to investigate the same issues ever and ever again.

    brgds

    --
    tiwag

  5. #5

    fail2ban

    Hi, is possible to install fail2ban on wl-500gx?Could anybody write tutorial. Because I have a lot of brutforce attack on my vsftpd

    thanks a lot

  6. #6
    Join Date
    Feb 2007
    Location
    Moscow, Russia
    Posts
    3,805
    Hi, here I posted a piece of post-firewall file which utilizes ipt_recent module of iptables to control ssh logins: http://wl500g.info/showpost.php?p=69964&postcount=63
    It can be modified to be used for ftp connections also.

    It acts like this: connection is blocked (e.g. for --seconds 600 --hitcount 4) when more than 3 attempts are performed from the same IP within 600 seconds. You can use either --update or --rcheck insted of it. The --update is more restrictive. It means that 600 sec is counted since the last attempt, while --recheck implies 3 attemtps within any 600 sec.

    Take into account that this module does not make difference between successful/unsuccessful attempts. Therefore I introduced the whitelist of the IPs which are not subjected to this kind of control, and just for symmetry a blacklist of those who are rejected at all. The format of these files ( /usr/local/etc/ssh.allow & /usr/local/etc/ssh.deny ) is simple:
    PHP Code:
    12.34.56.78         allow/deny access from a single IP
    87.65.43.0
    /24       allow/deny access from a subnet 
    To use this you need to load ipt_recent.o module for iptables. Its updated version is attached here ( thanks to Mam(o)n ): http://wl500g.info/showpost.php?p=69660&postcount=53

    So, my /usr/local/sbin/pre-boot file looks like this:
    PHP Code:
    #!/bin/sh
    #Both these lines are required/recommended for protection against unwanted multiple ssh logins based on ipt_recent
    date 010101012000
    insmod 
    /usr/local/lib/ipt_recent.
    Last edited by al37919; 12-12-2007 at 09:06.

Similar Threads

  1. how to install fail2ban on a WL700g
    By tiwag in forum WL-700g Tutorials
    Replies: 18
    Last Post: 08-04-2011, 22:05
  2. HOWTO: install syslog-ng
    By tiwag in forum WL-700g Tutorials
    Replies: 11
    Last Post: 08-06-2008, 01:31
  3. IP address filtering
    By Hacksaw in forum WL-700g Q&A
    Replies: 15
    Last Post: 05-09-2007, 06:34

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •