some tools for security
ban hosts that cause multiple authentication errors via iptables
apt-get install fail2ban
jails are defined in /etc/fail2ban/jail.local - setup all options there
to receive mail, you need to set default action to
action = %(action_mwl)s
check, if it works
iptables -n -L
Test, if it really works and actually blocks offending IPs!!
If your INPUT chain allows everything, you need to change to FORWARD chain!
Try manually, if INPUT or FORWARD drops the IP:
iptables -I INPUT -j DROP -s EV.IL.IP
iptables -I FORWARD -j DROP -s EV.IL.IP
The working chain must be setup in jail.conf or jail.local AND in /etc/fail2ban/action.d/iptables-multiport.conf
# FORWARD required, because INPUT accepts all chain = FORWARD
Unban:
Use these commands to remove an IP from the blackhole - example for blocked courier mailserver logins:
fail2ban-client get courierlogin actionunban xx.xx.xx.xx fail2ban-client get courierauth actionunban xx.xx.xx.xx /etc/init.d/fail2ban restart
if the service doesn't start
for some useful error messages:
fail2ban-client -x start
too much cpu / ram usage maybe a problem with /etc/localtime
trace which files are opened / closed all the time by one of the server threads:
strace -f -p <various pids of fail2ban processes
try to delete the database in /var/lib/fail2ban
some bash lines to extract IPs from logfiles
get banned messages from one jail:
grep contactforms fail2ban.log.1 | grep Ban > blocked-ips-complete
grep contactforms fail2ban.log | grep Ban >> blocked-ips-complete
count:
cat blocked-ips-complete | wc -l
get unique IPs sorted by date:
cat blocked-ips-complete | awk '{print $1 , $2 , $7}' | sort -u -k3,4 | sort -k1,1 > blocked-ips-by-date
get only IPs and sort by IP:
cat blocked-ips-by-date | awk '{print $3}' | sort -u
WIP
install:
apt-get install apparmor apparmor-profiles apparmor-utils
add boot parameter:
perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub update-grub reboot
check:
aa-status
activate app profiles..