DenyHost/Fail2Ban Utility

Discuss general troubleshooting concerns.

Moderators: scrumpy, Dave, leihog

DenyHost/Fail2Ban Utility

Postby joelee on Wed Jul 18, 2007 1:58 pm

Hi, I have come to read about the following tools like DenyHost, ssdFilter, Fail2Ban, that automatically blocks IP address based on failed attempts to login. I was wondering if Engarde Linux have implemented those features. If not, would be a nice add-on to implement and hopefully can be managed by webtool.

On the above mentioned tools, I understand fail2ban also supports other services like FTP...

Joe
joelee
 
Posts: 10
Joined: Sun May 06, 2007 6:41 pm

RE: DenyHost/Fail2Ban Utility

Postby wkeys on Wed Jul 18, 2007 2:58 pm

hi
EnGarde currently does not have any of those software packaged into it. However it sounds like a good idea to have one included. Do you have a favorite one? Please create a bug report at bugs.engardelinux.org so we can see if we can get this into EnGarde.

~bill
wkeys
 
Posts: 283
Joined: Thu Feb 01, 2007 5:43 pm

RE: DenyHost/Fail2Ban Utility

Postby joelee on Wed Jul 18, 2007 6:36 pm

Yeah, based on what I've read I think fail2ban would be my best choice as it's more flexible and supports other services (FTP, HTTP, etc) and not just SSH. And, one can configure it to use IPtables or hosts.deny (TCPwrapper).

As you suggested, I will submit a bug report to request this feature in future release of Engarde.

Joe
joelee
 
Posts: 10
Joined: Sun May 06, 2007 6:41 pm

RE: DenyHost/Fail2Ban Utility

Postby wkeys on Thu Jul 19, 2007 12:10 pm

hi
fail2ban sounds like a interesting one. So I am going to test it out :-).

~bill
wkeys
 
Posts: 283
Joined: Thu Feb 01, 2007 5:43 pm

RE: DenyHost/Fail2Ban Utility

Postby joelee on Thu Jul 19, 2007 2:21 pm

Cool - Let us know how it works out!
joelee
 
Posts: 10
Joined: Sun May 06, 2007 6:41 pm

RE: DenyHost/Fail2Ban Utility

Postby wkeys on Fri Jul 27, 2007 11:41 am

hi
I was able to install fail2ban on EnGarde. The install went easy. I just starting
testing it out it. Also it has some nice features.

~bk
wkeys
 
Posts: 283
Joined: Thu Feb 01, 2007 5:43 pm

RE: DenyHost/Fail2Ban Utility

Postby joelee on Fri Jul 27, 2007 12:22 pm

wkey, glad to hear the install went well... Do you mind posting the steps you took to install?

Joe
joelee
 
Posts: 10
Joined: Sun May 06, 2007 6:41 pm

RE: DenyHost/Fail2Ban Utility

Postby wkeys on Tue Jul 31, 2007 1:32 pm

hi

Once you have downloaded the source code for fail2Ban then set SELinux to permissive mode. Fail2Ban will not work with the current SELinux policy so SELinux will need to stay in permissive mode.

# newrole -r sysadm_r
# setenforce 0

Then please follow the below README file to finish up the install.
http://www.fail2ban.org/wiki/index.php/README

Once you have it installed you will need to change some fail2Ban conf files so the program will know where to look for your log files.

There is a section in the below link that talks about changing the fail2ban log files.

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

One config file that I changed was /etc/fail2ban/jail.conf . I needed to change where the program looks for ssh log files to /var/log/messages.

The only feature I tested was blocking IP address if the user fails to log in a certain number of times and it work well. After I made the change to jail.conf.

note:
That fail2ban adds rules to IP tables so if you get blocked out remember to clear your IPtables rules. I would run this on a test machine just in case :-)

~bill
wkeys
 
Posts: 283
Joined: Thu Feb 01, 2007 5:43 pm

Re: DenyHost/Fail2Ban Utility

Postby taylorbanks on Tue Nov 24, 2009 10:56 am

Was there every any follow-up with Guardian Digital about including either Fail2Ban or DenyHosts in the official EnGarde repository? To me, having to run in permissive mode defeats much of the point of using a secure distribution. Indiscriminately disabling SElinux policies purely to prevent SSH bruteforce attacks may have severe consequences for those providing public DNS or hosting complex web applications that may make remote exploitation more probable. Without SElinux policies in place, such exploitation would almost invariably lead to full system compromise.

Theoretically, so long as you deny password authentication to SSH, the attack surface of EnGarde can be significantly reduced, however, if nothing else, DenyHosts or Fail2Ban would certainly further reduce wasted bandwidth and eliminate cruft from auth logs, and would also significantly reduce the time required for investigation of security events at SIMs, SEMs, or other monitoring tools.

As such, I'd like to again suggest that Guardian Digital put serious consideration into the inclusion of one of the tools mentioned in the title of this thread, as I think they both further support the end-goal that EnGarde so faithfully aims to achieve. Personally, I'm an old fan of DenyHosts, as it's lightweight and also supports a "social" submission process that can prevent most brute force attacks before they ever begin.

Cheers,
-Taylor
taylorbanks
 
Posts: 2
Joined: Fri Oct 16, 2009 9:52 am


Return to General Troubleshooting

Who is online

Users browsing this forum: No registered users and 2 guests

cron