Reply With Quotecould you please explain how you've built and installed fail2ban on your router ?Originally Posted by medsource
brgds
--
tiwag
Member
Well, I took the plunge and got one of these beauties and set-up the wonderful custom firmware...
Anyway... today I was checking the logs and I seem to be getting a brute force attempt on the vsftp server from austria (or at least that's where the zombie computer is). I've been trying to get fail2ban up and running. I've gotten python2.5 running and the fail2ban software installed and it will launch.
Here's the problem. fail2ban monitors the log files. It wants paths to the log files. In the vsftpd.conf file it seems to be set to log all events (including the all important login failed ones) in the syslog. Now, editing the vsftpd.conf doesn't seem to work for me (is it in a protected space?) and I can't seem to find syslog.log in any of the expected locations.
I'm not too keen on killing vsftpd and re-launching with my own .conf file in a different location that is set to generate a .log file. I'd rather just have fail2ban peruse the syslog instead. So, my question now is, where is the bloody syslog.log? The web GUI seems to be able to read it so I'm assuming that the file exists somewhere (syslogd is also running in the process list).
Any help would be appreciated.
Last edited by medsource; 14-01-2007 at 08:38.
Member
could you please explain how you've built and installed fail2ban on your router ?
brgds
--
tiwag
Member
Firstly you need python installed (2.4 and 2.5)
Then download the fail2ban sw from their server (http://www.fail2ban.org/wiki/index.php/Main_Page)
Install it (you'll have to mod the setup.cfg script to run python2.5 as the environment and to the opt directory)
After that you need to do some tweaking...
To get it to run you need to modify the three core files: fail2ban-client, fail2ban-server and fail2ban-regex (they should be in the /opt/bin directory... if not then move them there).
Each file references the /usr/share/fail2ban directory for the core components (it's like line 30ish). All you have to do is replace the /usr/share/fail2ban in each of the three files with /opt/fail2ban (which should be your install directory). To test if it's running ok all you have to do is type fail2ban-client -d (you don't need the python statement as it was set at install when you modified setup.cfg to use python2.5 as the environment).
If it works it will display the current jail.conf settings. Then if your jail.conf settings are ok you can launch the application by typing fail2ban-client start (with the -c /[dir]/ if you didn't switch the location of the config files in the fail2ban-client file in the /opt/bin directory). Also make sure that the logging is to the correct location (I put it to the syslog) and that the logging level is correct (3 for runtime 4 for debug).
Hope this gets you off the ground.
Member
thanks medsource,
you could post your modified fail2ban files package here,
then we wouldn't need to investigate the same issues ever and ever again.
brgds
--
tiwag
Member
Hi, is possible to install fail2ban on wl-500gx?Could anybody write tutorial. Because I have a lot of brutforce attack on my vsftpd
thanks a lot
Forum Guru
Hi, here I posted a piece of post-firewall file which utilizes ipt_recent module of iptables to control ssh logins: http://wl500g.info/showpost.php?p=69964&postcount=63
It can be modified to be used for ftp connections also.
It acts like this: connection is blocked (e.g. for --seconds 600 --hitcount 4) when more than 3 attempts are performed from the same IP within 600 seconds. You can use either --update or --rcheck insted of it. The --update is more restrictive. It means that 600 sec is counted since the last attempt, while --recheck implies 3 attemtps within any 600 sec.
Take into account that this module does not make difference between successful/unsuccessful attempts. Therefore I introduced the whitelist of the IPs which are not subjected to this kind of control, and just for symmetry a blacklist of those who are rejected at all. The format of these files ( /usr/local/etc/ssh.allow & /usr/local/etc/ssh.deny ) is simple:
To use this you need to load ipt_recent.o module for iptables. Its updated version is attached here ( thanks to Mam(o)n ): http://wl500g.info/showpost.php?p=69660&postcount=53PHP Code:12.34.56.78 allow/deny access from a single IP
87.65.43.0/24 allow/deny access from a subnet
So, my /usr/local/sbin/pre-boot file looks like this:
PHP Code:#!/bin/sh
#Both these lines are required/recommended for protection against unwanted multiple ssh logins based on ipt_recent
date 010101012000
insmod /usr/local/lib/ipt_recent.o
Last edited by al37919; 12-12-2007 at 08:06.
Posting Permissions
