Fail2Ban – Reload banned IP’s after a restart

Restart fail2ban and load the previously banned IPs back into iptables

fail2ban

Restarting fail2ban will drop all of your currently banned IP’s from iptables. To reload those banned IP’s try this.

First, output your currently fail2-banned IP’s to a text file with the iptables commands:
iptables-save | grep '-A fail2ban' | sed 's/-A/iptables -A/' > bannedIPs.txt

Stop fail2ban, make your config changes, etc. and restart:
service fail2ban stop
service fail2ban start

Load your iptables commands by piping your saved rules to bash:
cat bannedIPs.txt | /bin/bash

Share

VSFTPD on CentOS 5 – FTP server setup

1) Configure VSFTPD: vi /etc/vsftpd/vsftpd.conf and include the following:

chroot_list_enable=YES
chroot_local_user=NO

Also, disallow anonymous access by setting anonymous_enable=NO, if this is commented out, anonymous access is enabled!
Using these settings you NEED to add ftp usernames to /etc/vsftpd/chroot_list, so create the file and add the ftp username(s). This will allow ftp users, but lock them down to their home directory.

2) Add users: useradd -m -d /home/ftpusername ftpusername

3) Adjust IPTABLES: Edit iptables-config: vi /etc/sysconfig/iptables-config and add
IPTABLES_MODULES="ip_conntrack_ftp"
and allow port 21 in iptables:
-A RH-Firewall-1-INPUT -m state --state NW -m tcp -p tcp --dport 21 -j ACCEPT
and then restart iptables.

4) Use Audit2Allow to create a policy for SELinux

4) Turn it on and get started:
service vsftpd start
chkconfig vsftpd on

There are a couple options for login (welcome/greeting) banners. vsftpd.conf has a banner string option:
# You may fully customise the login banner string:
ftpd_banner=Your login banner here

But alternatively, you can use banner_file=/path/to/banner_message to point to a text file that contains your banner message. This is especially handy for long legal messages.

Share

Installing Fail2Ban on CentOS 5

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules (how many attempts before banning, amount of time banned, etc.) can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones.
You may need an additional repo for this. If so, see my post on rpmforge for additional info.

To install and configure fail2ban:

Install: yum install fail2ban

Configure: Edit vi /etc/fail2ban/jail.conf and fail2ban.conf, with special attention to the following:
# Option: ignoreip
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default: 192.168.0.0/16
#
ignoreip = 192.168.0.1/16

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=youraddress@yourdomain.com, sender=fromaddress@your domain.com]
logpath = /var/log/secure
maxretry = 3

Note that the logpath needs to be changed to the logfile that you want to use to block IP’s, on CentOS 5 this is /var/log/secure

The finishing touches:
chkconfig fail2ban on
service fail2ban start

Fail2Ban can be used for all kinds of other things too… Blocking spammers from a mail server, and all kinds of other things.

Also, keep in mind that you’ll have to have sendmail (or some other mail) enabled if you want to receive the Fail2Ban notifications! You can simply relay through your mail server by modifying /etc/mail/sendmail.cf. Just add your mail server FQDN to the DS line and restart sendmail.

Share

nfs problems on CentOS5

Had a hard time getting nfs working between two CentOS 5 boxes, kept seeing the client hang when attempting to mount the share. Disabled SELinux, and then ran into a mount.nfs: Stale NFS file handle error. Had to force a umount (umount -f /mnt/share).

Next issue was a time out similar to this:
mount.nfs: mount to NFS server ‘192.196.1.3’ failed: timed out, retrying
mount.nfs: mount to NFS server ‘192.196.1.3’ failed: timed out, retrying
mount.nfs: mount to NFS server ‘192.196.1.3’ failed: timed out, retrying
mount.nfs: mount to NFS server ‘192.196.1.3’ failed: timed out, give up.

Stopped iptables and the NFS share started working great. Ok. My iptables is almost identical to another CentOS box that has NFS working fine. Weird. Turns out that NFS ports change, and have to be set statically in /etc/sysconfig/nfs to allow through iptables. I uncommented the following lines:

STATD_PORT=
STATD_OUTGOING_PORT=
MOUNTD_PORT=

And set the desired ports, then added those ports to iptables. Then:

service nfs restart
service iptables restart

And mounts with no problem.

Share

Share