How To Install And Configure fail2ban On CentOS 7
First, make sure you have fail2ban installed
# yum install fail2ban
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* centos-sclo-rh: mirror.vodien.com
* centos-sclo-sclo: mirror.vodien.com
* epel: sg.fedora.ipserverone.com
* extras: mirror.vodien.com
* remi-php54: mirrors.thzhost.com
* remi-php55: mirrors.thzhost.com
* remi-php56: mirrors.thzhost.com
* remi-php71: mirrors.thzhost.com
* remi-safe: mirrors.thzhost.com
* updates: mirror.vodien.com
Package fail2ban-0.9.7-1.el7.noarch already installed and latest version
Nothing to do
fail2ban is installed, but is it running?
# fail2ban-client status
ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
# service fail2ban start
Redirecting to /bin/systemctl start fail2ban.service
# service fail2ban status
Redirecting to /bin/systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-12-04 08:25:24 HKT; 39s ago
Docs: man:fail2ban(1)
Process: 12578 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 12778 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 12781 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─12781 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Now that fail2ban is running, is it actually doing anything (i.e. "jailing" bad actors) by enabling at least one JAIL?
# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
#
fail2ban is running, but not jailing anyone!
To start jailing bad actors, we need a custom jail file at: /etc/fail2ban/jail.local:
How To Create A Custom jail.local File
# cd /etc/fail2ban
# cp jail.conf jail.local
With the jail.local file created, we need to make two changes to it:
A) Make sure that our own IP never gets blocked by fail2ban
B) Make sure that fail2ban begins overwatch on postfix
How To Find Out Your Own IP
How To Make Sure fail2ban Never Jails YOU
To make sure that fail2ban never jails you, add your IP address to the jail.local file
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
#
# 127.x.x.x Is how this machine talks to itself (never ban)
# w.x.y.z Is your IP address (if you connect to this machine remotely)
#
#ignoreip = 127.0.0.1/8
#
# GL 2019-12-04 added my public IP network (192.168.0.x) to ignoreip directive
#
# 127.x.x.x Is how this machine talks to itself (never ban)
# w.x.y.z Is your IP address (if you connect to this machine remotely)
ignoreip = 127.0.0.1/8, 192.168.0.0/24
How To Enable fail2ban Overwatch on postfix
The next thing to do is enable fail2ban overwatch on postfix.
Search for the [postfix] stanza is the jail.conf file, and make this change:
[postfix]
#
# GL 2019-12-04 Enabled fail2ban overwatch on postfix
#
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
How To Restart The fail2ban Service
# service fail2ban restart
Redirecting to /bin/systemctl restart fail2ban.service
How To Verify That The fail2ban Service Is Running
Redirecting to /bin/systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-12-04 08:51:41 HKT; 9s ago
Docs: man:fail2ban(1)
Process: 14867 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 14870 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 14873 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─14873 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
How To Verify That The fail2ban Jail for postfix Is Running
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: postfix
How To See Who fail2ban Has Put In The postfix Jail
# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Apparently, a remote mail server is spamming/hammering my mail server. They are filling my mail server log, which is located at /var/log/maillog, with the following messages:
Dec 4 08:59:06 postfix/smtpd[15358]: disconnect from unknown[142.147.97.139]
Dec 4 08:59:06 postfix/smtpd[15355]: connect from unknown[142.147.97.139]
Dec 4 08:59:12 postfix/smtpd[15355]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <reservas@as58436.net>: Sender address rejected: Domain not found; from=<reservas@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec 4 08:59:12 postfix/smtpd[15355]: lost connection after MAIL from unknown[142.147.97.139]
Dec 4 08:59:12 postfix/smtpd[15355]: disconnect from unknown[142.147.97.139]
Dec 4 08:59:12 postfix/smtpd[15358]: connect from unknown[142.147.97.139]
Dec 4 08:59:18 postfix/smtpd[15358]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <pedidos@as58436.net>: Sender address rejected: Domain not found; from=<pedidos@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec 4 08:59:18 postfix/smtpd[15358]: lost connection after MAIL from unknown[142.147.97.139]
Dec 4 08:59:18 postfix/smtpd[15358]: disconnect from unknown[142.147.97.139]
Dec 4 08:59:18 postfix/smtpd[15355]: connect from unknown[142.147.97.139]
Dec 4 08:59:24 postfix/smtpd[15355]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <fuyanhui@as58436.net>: Sender address rejected: Domain not found; from=<fuyanhui@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec 4 08:59:24 postfix/smtpd[15355]: lost connection after MAIL from unknown[142.147.97.139]
Dec 4 08:59:24 postfix/smtpd[15355]: disconnect from unknown[142.147.97.139]
Dec 4 08:59:24 postfix/smtpd[15358]: connect from unknown[142.147.97.139]
Where is this machine and who owns it?
How To Find The Location Of An IP Address
To find the location of the machine with IP address 142.147.97.139, use the geoiplookup command:
# yum install geoip
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* centos-sclo-rh: mirror.vodien.com
* centos-sclo-sclo: mirror.vodien.com
* epel: sg.fedora.ipserverone.com
* extras: mirror.vodien.com
* remi-php54: mirrors.thzhost.com
* remi-php55: mirrors.thzhost.com
* remi-php56: mirrors.thzhost.com
* remi-php71: mirrors.thzhost.com
* remi-safe: mirrors.thzhost.com
* updates: mirror.vodien.com
Package GeoIP-1.5.0-14.el7.x86_64 already installed and latest version
Nothing to do
# geoiplookup 142.147.97.139
GeoIP Country Edition: US, United States
How To Find Out Who Owns An IP Address
# whois 142.147.97.139
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#
# start
NetRange: 142.147.96.0 - 142.147.99.255
CIDR: 142.147.96.0/22
NetName: HEYMMAN-5
NetHandle: NET-142-147-96-0-1
Parent: NET142 (NET-142-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS64236
Organization: Heymman Servers Corporation (HSC-180)
RegDate: 2015-03-18
Updated: 2019-11-10
Ref: https://rdap.arin.net/registry/ip/142.147.96.0
OrgName: Heymman Servers Corporation
OrgId: HSC-180
Address: 1120 Finch Ave. W, Suite 701
City: Toronto
StateProv: ON
PostalCode: M3J 3H7
Country: CA
RegDate: 2019-01-09
Updated: 2019-03-05
Ref: https://rdap.arin.net/registry/entity/HSC-180
OrgTechHandle: ADMIN5601-ARIN
OrgTechName: Administration
OrgTechPhone: +1-438-495-6967
OrgTechEmail: contact@heymman.com
OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
OrgAbuseHandle: ADMIN5601-ARIN
OrgAbuseName: Administration
OrgAbusePhone: +1-438-495-6967
OrgAbuseEmail: contact@heymman.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
OrgNOCHandle: ADMIN5601-ARIN
OrgNOCName: Administration
OrgNOCPhone: +1-438-495-6967
OrgNOCEmail: contact@heymman.com
OrgNOCRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
# end
# start
NetRange: 142.147.97.128 - 142.147.97.255
CIDR: 142.147.97.128/25
NetName: HEYMMAN-5-2-2
NetHandle: NET-142-147-97-128-1
Parent: HEYMMAN-5 (NET-142-147-96-0-1)
NetType: Reassigned
OriginAS: AS19969
Customer: Heymman Servers (C06041762)
RegDate: 2016-02-13
Updated: 2019-05-16
Ref: https://rdap.arin.net/registry/ip/142.147.97.128
CustName: Heymman Servers
Address: 324 E 11th St #1000
City: Kansas City
StateProv: MO
PostalCode: 64106
Country: US
RegDate: 2016-02-13
Updated: 2016-02-13
Ref: https://rdap.arin.net/registry/entity/C06041762
OrgTechHandle: ADMIN5601-ARIN
OrgTechName: Administration
OrgTechPhone: +1-438-495-6967
OrgTechEmail: contact@heymman.com
OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
OrgAbuseHandle: ADMIN5601-ARIN
OrgAbuseName: Administration
OrgAbusePhone: +1-438-495-6967
OrgAbuseEmail: contact@heymman.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
OrgNOCHandle: ADMIN5601-ARIN
OrgNOCName: Administration
OrgNOCPhone: +1-438-495-6967
OrgNOCEmail: contact@heymman.com
OrgNOCRef: https://rdap.arin.net/registry/entity/ADMIN5601-ARIN
# end
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#
So, if you like, you can send an email to contact@heymman.com and let them know that someone is using their machines to send out a lot of email, which looks suspiciously like a spam bot.
Or, you can just ban them from bugging your server
How To Put Someone In The postfix Jail
# fail2ban-client set postfix banip 142.147.97.139
142.147.97.139
How To Confirm Someone Is In The postfix Jail
[root@vm fail2ban]# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 0
| |- Total failed: 35
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 142.147.97.139
How To Configure fail2ban To Start Automatically
We want the fail2ban service to start automatically, on server boot or reboot.First, check the enabled | disabled flag on the service:
# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2019-12-04 09:47:34 HKT; 9min ago
Docs: man:fail2ban(1)
Main PID: 18908 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─18908 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
In this case, the fail2ban service is disabled, meaning it would need to be started manually after a system (re)boot. That's not the behaviour we want, so we do the following to enable the fail2ban service at system boot:
# systemctl enable fail2ban
# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-12-04 09:47:34 HKT; 8min ago
Docs: man:fail2ban(1)
Main PID: 18908 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─18908 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Restarting
Use the crontab -e command to access cron's configuration file, then enter something like this:
# GL 2019-12-09 fail2ban bogs down if it is not restarted frequently
# Every hour of every day
*/60 * * * * /bin/systemctl restart fail2ban.service
That's it!
REFERENCES:
https://ma.ttias.be/enable-disable-service-at-boot-on-centos-7/
https://www.whatismyip.com/
https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban
https://gist.github.com/kamermans/1076290
https://serverfault.com/questions/501555/how-to-detect-and-prevent-postfix-from-dishing-out-spam-email-from-compromised-m
No comments:
Post a Comment