Install Fail2Ban on CentOS 6 with Plesk

Install Fail2Ban on CentOS 6 with Plesk

I just had to install fail2ban on a centOS server with plesk, and thought I write it down as I am going to need it in the future.

Fail2Ban is excellent software as it helps to deter those would brute force attacks on a server.

So first we need to enable the repo called epel, so as the root user:

wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install epel-release-6-8.noarch.rpm

Then in the text editor (I use nano) of your choice edit the repo to disable it (we only want to enable it to download any packages from it, this adds security):

nano /etc/yum.repos.d/epel.repo

and change

enabled=1

to

enabled=0

Now we are going to install fail2ban, we will also need the whois program so fail2ban can query ip whois database:

yum --enablerepo=epel install fail2ban jwhois

now we have our packages installed, we want to copy the config file and use the copy so we have a backup if we mess things up:

cp /etc/fail2ban/jail.conf /etc/fail2ban.local

OK we are ready to edit our config file so:

nano /etc/fail2ban/jail.local

I normally leave the the defaults in place. So find the place where '[ssh-iptables]' is located in the file.
This is already turned on but you will need to alter a few options. A quick review of the basic options are:

  • enabled : Whether to turn the filter on or off.
  • filter : Which filter to use located in '/etc/fail2ban/filter.d'.
  • action : The action to take located in '/etc/fail2ban/action.d'.
  • logpath : Where the log to scan is located.
  • maxretry : the number of times a login attempt can be made before a ban.
  • bantime : How long the ban will last in seconds.
  • findtime : The ban is reset if no match is found within "findtime" seconds.

So with that in mind here are some rules for ssh, postfix, courier-imap and proftpd. Change 'yourdomain.com' to your actual server domain and '[email protected]' to your email address you want the whois data sent to.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/secure
maxretry = 3
bantime = 43200
findtime = 43200

[postfix-iptables]

enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, [email protected], [email protected]]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6

[courierimap-iptables]

enabled = true
filter = courierlogin
action = iptables-multiport[name=IMAP, port="110,995,143,993"]
sendmail-whois[name=IMAP, [email protected], [email protected]]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/auth.log
maxretry = 6

Now edit the following filters:
/etc/fail2ban/filter.d/courierlogin.conf
Change:

LOGIN FAILED, .*, ip=\[\]$

To:

LOGIN FAILED, ip=\[]$

/etc/fail2ban/filter.d/proftpd.conf. Repalce the failregex with:

failregex = \[]\s+530$

Because Plesk doesn't log failed auth attempts in proftpd, we have to make it do so.

/etc/proftpd.conf add:

ExtendedLog /var/log/proftpd/auth.log AUTH auth
LogFormat auth "%v %t \"%r\" [%h] %s"

create 'proftpd' directory in '/var/log'

mkdir /var/log/proftpd

Create a file in '/etc/logrotate.d'

touch /etc/logrotate.d/proftpd

and put this in it:

/var/log/proftpd/auth.log
{
    weekly
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
    create 640 root adm
    sharedscripts
    postrotate
    # reload could be not sufficient for all logs, a restart is safer
    /usr/bin/kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

Now restart fail2ban and proftpd:

service fail2ban restart
/etc/init.d/xinetd restart

Now you should have a more secure server. Enjoy!

This post is taken from my old site and was originally posted on 2nd Junn 2013

19/04/2014 09:10:00 Shaun Freeman Filed Under: Linux CentOS, Linux, Plesk, Server

Twitter Feed
Shaun Freeman @Zendmaster

Shaun Freeman @Zendmaster

I liked a @YouTube video https://t.co/lSFWmpHTX1 Patrick Stewart talks about meeting Sting on the set of DUNE (Funny to the EXTREME)

Shaun Freeman @Zendmaster

I added a video to a @YouTube playlist https://t.co/pmXSmod4ti Anonymous - This will Change Everything You Know... (2018-2019)

Shaun Freeman @Zendmaster

I added a video to a @YouTube playlist https://t.co/GkwTCvBfes Will Artificial Intelligence Take Over The World?

Shaun Freeman @Zendmaster

I liked a @YouTube video https://t.co/Y1ulafmsC6 Frank Abagnale: "Catch Me If You Can" | Talks at Google

Shaun Freeman @Zendmaster

I liked a @YouTube video https://t.co/NBdW2xFnqD ETS2: Special Transport DLC Trailer