Hi Chris,
It certainly is. Attached are samples of my iptables-restore and fail2ban
configs for hardy-based servers. My iptables config creates the fail2ban-ssh
chain, so I've changed the iptables-multiport fail2ban action so that it
doesn't. And I prefer that fail2ban only block NEW ssh sessions, not all
existing, when it blocks an IP (good when I'm logged in and another staff
person screws up logging in 5 times).
Regards,
Tyler
On Wednesday 09 June 2010 23:57:47 Chris Rowson wrote:
Hi folks,
I've been experimenting with using fail2ban to protect Internet facing
servers.
I was wondering if it is possible to implement your own iptables rules
alongside fail2ban. For instance, I'd probably want to set up an
iptables rule that drops any inbound traffic not going to ICMP, HTTP,
HTTPS or SSH.
Does anyone know if it's possible to use your own rules alongside fail2ban?
Cheers,
Chris
--
Political language - and with variations this is true of all political
parties, from Conservatives to Anarchists - is designed to make lies
sound truthful and murder respectable, and to give an appearance of
solidity to pure wind.
-- George Orwell
# Fail2Ban configuration file
#
# 2008-07-31 tyler - modified for Talia use.
# Talia firewalls already have fail2ban chains and call them in the
# appropriate order.
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# not needed because our local firewall setup ensures chain exists
#actionstart = iptables -A fail2ban-name -j RETURN
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -F fail2ban-name
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#not needed because our local firewall setup ensures sane environment
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags:ip IP address
# failures number of failures
# time unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-name 1 -s ip -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags:ip IP address
# failures number of failures
# time unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-name -s ip -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# 2008-07-24 tyler - customised Fail2Ban jail configuration file
#
# Changes here override defaults in jail.conf. However, that file
# may be replaced during upgrade.
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 6
banaction = iptables-multiport
protocol = tcp
action = %(action_)s
# All servers ban SSH.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
# Enable the following on public mail servers only.
# Covers both POP/IMAP and webmail cracking.
# For web mail failures
[pam-generic]
enabled = false
filter = pam-generic
port = http,https
logpath = /var/log/auth.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
# Generated by hand
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
# Accept all loopback traffic
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,25,80,443,465,587,993,995
COMMIT
# Completed on Fri May 5 10:23:01 BST 2006
--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/
