Saturday, December 14, 2019

CentOS 7 - How To Install And Configure fail2ban On CentOS 7

CentOS 7

How To Install And Configure fail2ban On CentOS 7


First, make sure you have fail2ban installed

# yum install fail2ban
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.vodien.com
 * centos-sclo-rh: mirror.vodien.com
 * centos-sclo-sclo: mirror.vodien.com
 * epel: sg.fedora.ipserverone.com
 * extras: mirror.vodien.com
 * remi-php54: mirrors.thzhost.com
 * remi-php55: mirrors.thzhost.com
 * remi-php56: mirrors.thzhost.com
 * remi-php71: mirrors.thzhost.com
 * remi-safe: mirrors.thzhost.com
 * updates: mirror.vodien.com
Package fail2ban-0.9.7-1.el7.noarch already installed and latest version
Nothing to do

fail2ban is installed, but is it running?

# fail2ban-client status

ERROR  Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?

fail2ban is not running, so start it:

# service fail2ban start

Redirecting to /bin/systemctl start fail2ban.service

Check on the status of fail2ban:

# service fail2ban status
Redirecting to /bin/systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-12-04 08:25:24 HKT; 39s ago
     Docs: man:fail2ban(1)
  Process: 12578 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 12778 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 12781 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─12781 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Now that fail2ban is running, is it actually doing anything (i.e. "jailing" bad actors) by enabling at least one JAIL?

# fail2ban-client status
Status
|- Number of jail:      0
`- Jail list:

#

fail2ban is running, but not jailing anyone!

To start jailing bad actors, we need a custom jail file at: /etc/fail2ban/jail.local:

How To Create A Custom jail.local File


# cd /etc/fail2ban
# cp jail.conf jail.local

With the jail.local file created, we need to make two changes to it:

A) Make sure that our own IP never gets blocked by fail2ban

B) Make sure that fail2ban begins overwatch on postfix

How To Find Out Your Own IP

How To Make Sure fail2ban Never Jails YOU


To make sure that fail2ban never jails you, add your IP address to the jail.local file

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
#
# 127.x.x.x   Is how this machine talks to itself (never ban)
# w.x.y.z     Is your IP address (if you connect to this machine remotely)
#
#ignoreip = 127.0.0.1/8

#
# GL  2019-12-04 added my public IP network (192.168.0.x) to ignoreip directive
#
# 127.x.x.x   Is how this machine talks to itself (never ban)
# w.x.y.z     Is your IP address (if you connect to this machine remotely)

ignoreip = 127.0.0.1/8, 192.168.0.0/24

How To Enable fail2ban Overwatch on postfix


The next thing to do is enable fail2ban overwatch on postfix.  

Search for the [postfix] stanza is the jail.conf file, and make this change:

[postfix]
#
# GL  2019-12-04  Enabled fail2ban overwatch on postfix
#
enabled  = true
port     = smtp,465,submission
logpath  = %(postfix_log)s

backend  = %(postfix_backend)s

How To Restart The fail2ban Service


# service fail2ban restart
Redirecting to /bin/systemctl restart fail2ban.service

How To Verify That The fail2ban Service Is Running


# service fail2ban status
Redirecting to /bin/systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-12-04 08:51:41 HKT; 9s ago
     Docs: man:fail2ban(1)
  Process: 14867 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 14870 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 14873 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─14873 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

How To Verify That The fail2ban Jail for postfix Is Running


# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   postfix

How To See Who fail2ban Has Put In The postfix Jail


# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Apparently, a remote mail server is spamming/hammering my mail server.  They are filling my mail server log, which is located at /var/log/maillog, with the following messages:

Dec  4 08:59:06 postfix/smtpd[15358]: disconnect from unknown[142.147.97.139]
Dec  4 08:59:06 postfix/smtpd[15355]: connect from unknown[142.147.97.139]
Dec  4 08:59:12 postfix/smtpd[15355]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <reservas@as58436.net>: Sender address rejected: Domain not found; from=<reservas@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec  4 08:59:12 postfix/smtpd[15355]: lost connection after MAIL from unknown[142.147.97.139]
Dec  4 08:59:12 postfix/smtpd[15355]: disconnect from unknown[142.147.97.139]
Dec  4 08:59:12 postfix/smtpd[15358]: connect from unknown[142.147.97.139]
Dec  4 08:59:18 postfix/smtpd[15358]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <pedidos@as58436.net>: Sender address rejected: Domain not found; from=<pedidos@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec  4 08:59:18 postfix/smtpd[15358]: lost connection after MAIL from unknown[142.147.97.139]
Dec  4 08:59:18 postfix/smtpd[15358]: disconnect from unknown[142.147.97.139]
Dec  4 08:59:18 postfix/smtpd[15355]: connect from unknown[142.147.97.139]
Dec  4 08:59:24 postfix/smtpd[15355]: NOQUEUE: reject: MAIL from unknown[142.147.97.139]: 450 4.1.8 <fuyanhui@as58436.net>: Sender address rejected: Domain not found; from=<fuyanhui@as58436.net> proto=ESMTP helo=<WIN-SBBTRRJPLDN>
Dec  4 08:59:24 postfix/smtpd[15355]: lost connection after MAIL from unknown[142.147.97.139]
Dec  4 08:59:24 postfix/smtpd[15355]: disconnect from unknown[142.147.97.139]
Dec  4 08:59:24 postfix/smtpd[15358]: connect from unknown[142.147.97.139]

Where is this machine and who owns it?

How To Find The Location Of An IP Address

To find the location of the machine with IP address 142.147.97.139, use the geoiplookup command:

# yum install geoip
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.vodien.com
 * centos-sclo-rh: mirror.vodien.com
 * centos-sclo-sclo: mirror.vodien.com
 * epel: sg.fedora.ipserverone.com
 * extras: mirror.vodien.com
 * remi-php54: mirrors.thzhost.com
 * remi-php55: mirrors.thzhost.com
 * remi-php56: mirrors.thzhost.com
 * remi-php71: mirrors.thzhost.com
 * remi-safe: mirrors.thzhost.com
 * updates: mirror.vodien.com
Package GeoIP-1.5.0-14.el7.x86_64 already installed and latest version
Nothing to do
# geoiplookup 142.147.97.139
GeoIP Country Edition: US, United States

How To Find Out Who Owns An IP Address

# whois 142.147.97.139

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#



# start

NetRange:       142.147.96.0 - 142.147.99.255
CIDR:           142.147.96.0/22
NetName:        HEYMMAN-5
NetHandle:      NET-142-147-96-0-1
Parent:         NET142 (NET-142-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS64236
Organization:   Heymman Servers Corporation (HSC-180)
RegDate:        2015-03-18
Updated:        2019-11-10
Ref:            https://rdap.arin.net/registry/ip/142.147.96.0


OrgName:        Heymman Servers Corporation
OrgId:          HSC-180
Address:        1120 Finch Ave. W, Suite 701
City:           Toronto
StateProv:      ON
PostalCode:     M3J 3H7
Country:        CA
RegDate:        2019-01-09
Updated:        2019-03-05
Ref:            https://rdap.arin.net/registry/entity/HSC-180


OrgTechHandle: ADMIN5601-ARIN
OrgTechName:   Administration
OrgTechPhone:  +1-438-495-6967
OrgTechEmail:  contact@heymman.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

OrgAbuseHandle: ADMIN5601-ARIN
OrgAbuseName:   Administration
OrgAbusePhone:  +1-438-495-6967
OrgAbuseEmail:  contact@heymman.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

OrgNOCHandle: ADMIN5601-ARIN
OrgNOCName:   Administration
OrgNOCPhone:  +1-438-495-6967
OrgNOCEmail:  contact@heymman.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

# end


# start

NetRange:       142.147.97.128 - 142.147.97.255
CIDR:           142.147.97.128/25
NetName:        HEYMMAN-5-2-2
NetHandle:      NET-142-147-97-128-1
Parent:         HEYMMAN-5 (NET-142-147-96-0-1)
NetType:        Reassigned
OriginAS:       AS19969
Customer:       Heymman Servers (C06041762)
RegDate:        2016-02-13
Updated:        2019-05-16
Ref:            https://rdap.arin.net/registry/ip/142.147.97.128


CustName:       Heymman Servers
Address:        324 E 11th St #1000
City:           Kansas City
StateProv:      MO
PostalCode:     64106
Country:        US
RegDate:        2016-02-13
Updated:        2016-02-13
Ref:            https://rdap.arin.net/registry/entity/C06041762

OrgTechHandle: ADMIN5601-ARIN
OrgTechName:   Administration
OrgTechPhone:  +1-438-495-6967
OrgTechEmail:  contact@heymman.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

OrgAbuseHandle: ADMIN5601-ARIN
OrgAbuseName:   Administration
OrgAbusePhone:  +1-438-495-6967
OrgAbuseEmail:  contact@heymman.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

OrgNOCHandle: ADMIN5601-ARIN
OrgNOCName:   Administration
OrgNOCPhone:  +1-438-495-6967
OrgNOCEmail:  contact@heymman.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/ADMIN5601-ARIN

# end



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#


So, if you like, you can send an email to contact@heymman.com and let them know that someone is using their machines to send out a lot of email, which looks suspiciously like a spam bot.

Or, you can just ban them from bugging your server

How To Put Someone In The postfix Jail


# fail2ban-client set postfix banip 142.147.97.139
142.147.97.139

How To Confirm Someone Is In The postfix Jail


[root@vm fail2ban]# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     35
|  `- Journal matches:  _SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   142.147.97.139

How To Configure fail2ban To Start Automatically

We want the fail2ban service to start automatically, on server boot or reboot.  

First, check the enabled | disabled flag on the service:

# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-12-04 09:47:34 HKT; 9min ago
     Docs: man:fail2ban(1)
 Main PID: 18908 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service

           └─18908 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

In this case, the fail2ban service is disabled, meaning it would need to be started manually after a system (re)boot.  That's not the behaviour we want, so we do the following to enable the fail2ban service at system boot:

# systemctl enable fail2ban
# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-12-04 09:47:34 HKT; 8min ago
     Docs: man:fail2ban(1)
 Main PID: 18908 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─18908 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Restarting


fail2ban will completely bog down your web server if you dont' restart it somewhat freqently.  The characteristic of this is incredibly slow page loads that resemble a networking or I/O problem.  Restarting fail2ban fixes this and , in my case, a restart once every hour via cron solved this problem.  

Use the crontab -e command to access cron's configuration file, then enter something like this:

#  GL 2019-12-09  fail2ban bogs down if it is not restarted frequently
#                 Every hour of every day

*/60 * * * * /bin/systemctl restart fail2ban.service

That's it!



REFERENCES:


https://ma.ttias.be/enable-disable-service-at-boot-on-centos-7/

https://www.whatismyip.com/

https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban

https://gist.github.com/kamermans/1076290

https://serverfault.com/questions/501555/how-to-detect-and-prevent-postfix-from-dishing-out-spam-email-from-compromised-m

at
Labels:

1 comment:

  1. Managed IT solutionsJuly 18, 2021 at 3:01 AM

    Data Wave was established to be a pioneer in development and implementation of smart IT Infrastructural designs and of proficient business solutions.

    ReplyDelete

Subscribe to: Post Comments (Atom)

named - How To Resolve DNS Server Abuse

CentOS 7 / named How To Resolve DNS Server Abuse One day, I noticed that my CentOS system log file (which is located at  /var/log/...