GoatPr0n

Vuurmuur and fail2ban

Console interfaces are nice, and I like to use them. Managing a firewall through the iptables command can be a really tough task, to keep track of every line. I tried Vuurmuur Firewall once and I am still using it. It provides a comfortable curses interface to manage the iptables rules. But I missed to install Fail2ban a set of scripts, which keeps an eye on your log files for conspicuous behavior, like portscans: 

21:31:21 1.1.1.1 sshd[21582]: Did not receive identification string from 2.2.2.2

or bruteforce: 

21:02:04 1.1.1.1 sshd[13062]: Failed password for invalid user guasparre from 2.2.2.2 port 33370 ssh2
21:02:04 1.1.1.1 sshd[28942]: Failed password for invalid user gueri from 2.2.2.2 port 33149 ssh2

fail2ban than executes a script to add the suspicious IP to your firewall blocking rules. After a while those IP will be removed again.

To make fail2ban use vuurmuur to block those IP-Addresses you can use the vuurmuur_script tool, to block and unblock.

At first your should create a file named /etc/fail2ban/action.d/vuurmuur.conf 

# Fail2Ban configuration file
#
#

[Definition]

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = vuurmuur_script --block <ip> --apply

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = vuurmuur_script --unblock <ip> --apply
The parameter –apply makes the rule active and reloads vuurmuurs configuration.

In the next step you have to define the action which should be used by fail2ban. In our case the newly created action.d/vuurmuur.conf file. Open /etc/fail2ban/jail.conf in your favorite editor and search the option banaction and change it as follows: 

banaction = vuurmuur

Restart fail2ban, finished. The stupid bad guys or bots should be sorted out. There is also a nice howto on http://foosel.org named Banning phpMyAdmin bots using fail2ban.

This blog post was created on 2009-03-07 at 21:41 and last modified on 2010-02-02 at 17:04 by Julian Knauer. It is tagged with .

Comments




If you can't read the letters on the image, download this .wav file to get them read to you.
Posted 2009/03/07 21:41 · Julian Knauer

Development

Conversation

Blogroll

Blogsphere
 
blog/2009/03/07.vuurmuur.and.fail2ban.txt · Last modified: 2010/02/02 17:04 (external edit)
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Driven by DokuWiki