Fail2ban

Adding support for Fail2ban is long over due and has been included in several other control panels like Plesk. This should be added and it’s the individual choose. We need better tools to stop individuals from abusing our networks resources.

Hi ptaylor1984

I have thought about your post since reading it, and I was not sure if I should post myself, but here goes

Your post sounds like a feature request, and should be posted on the ideas page, where it can be voted on. Interworx.com/ideas

You can immediately take action against abuses by installing BFD, which there’s good posts on how to do this on the forum.

Many thanks

John

What is BDF

[QUOTE=d2d4j;26030]Hi ptaylor1984

I have thought about your post since reading it, and I was not sure if I should post myself, but here goes

Your post sounds like a feature request, and should be posted on the ideas page, where it can be voted on. Interworx.com/ideas

You can immediately take action against abuses by installing BFD, which there’s good posts on how to do this on the forum.

Many thanks

John[/QUOTE]

What is BFD and do you have the link for for it. I still like fail2ban it does a very good job taking care of the users that abuse your network.

Hi ptaylor1984

Many thanks, and here’s the post for installing BFD (brute force detection)

Just set the values to your desired levels, and it works lovely.

Many thanks

John

http://forums.interworx.com/showpost.php?p=25260

Nothing about making this polical and adding fail2ban support leave it up to the admins as a option to use it or not but at least they have the tools to do there job. Fail2ban has more options when what you recommended.

I did not see any filter for qmail for bfd.

[QUOTE=ptaylor1984;26033]Nothing about making this polical and adding fail2ban support leave it up to the admins as a option to use it or not but at least they have the tools to do there job. Fail2ban has more options when what you recommended.

I did not see any filter for qmail for bfd.[/QUOTE]

Filter? for email? Use SpamAssassin: /nodeworx/mail/spam

Hi Michael

I’m sorry, I think they want to ban ip which fail when attempting to login to qmail or use qmail service.

Unfortunately, they have either not understood BFD, or have not checked any rule sets, which if they had, would realise that it does check qmail, or I suppose they may not have left it running long enough to see in logs or have emailed out the bans on attempted fails.

Many thanks

John

You could of course just install fail2ban yourself, it works well.

Hi,

Im using InterWorx latest version with CentOS 7 and to improve my server security i thinking on installing Fail2Ban.

If anyone if using it, can you please tell if it causes any problem with InterWorx or if there is any special configuration to make for Interworx, when comparing with a regular Fail2Ban installation as for example described at: https://www.linode.com/docs/security/using-fail2ban-for-security

Thanks

Hi nqservices

I personally prefer BFD but please see Johan thread over fail to ban

Many thanks

John

Fail2Ban

https://r.tapatalk.com/shareLink?url=http%3A%2F%2Fforums.interworx.com%2Fshowthread.php%3Ft%3D8187&share_tid=8187&share_fid=64132&share_type=t

For the post link you send me it seems that Fail2Ban requires custom modifications in order to properly work with InterWorx.

Im looking for something similar that does not require custom changes on InterWorx. So about the BFD can i install it using the standard process or there are some custom changes needed to be made to properly work with InterWorx?

Thanks

Hi nqservices

Yes, BFD easy to install with only minor changes to BFD conf to setup your email address for notifications and whitelist your IP ranges so you do not lock yourself out

If I have time tommorow I’ll post how I install or you can look up cleverwise thread for BFD

Many thanks

John

Hi John,

That is great! I will wait until you have the time to post a BFD thread.

Once again thanks for the help!

Hi Nqservices
Many thanks, and please see below my commands, which I have just installed BFD onto a server
There is only 2 parts you need to configure as follows:
[root@myserve bfd-1.5-2]# vi /usr/local/bfd/conf.bfd - change email alerts to 1, and set your email address to your chosen email address (if you want to be notified when BFD takes action) and change the TRIG value to meet your criteria (the number set for TRIG is the trigger number to run the ban, ie it counts the failed attempts and when it reaches the TRIG value, it bans the IP address
[root@myserve bfd-1.5-2]# vi /usr/local/bfd/ignore.hosts - add all your IP addresses you do not want banned
BFD will run every 3 minutes but could be changed to run at your cron interval
I hope that helps
Many thanks
John
[root@myserve ~]# cd /opt
[root@myserve opt]# ls
dell improved-ioncube.sh lsi
epel-release-6-8.noarch.rpm ioncube remi-release-6.rpm
[root@myserve opt]# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
–2016-08-04 11:06:19-- http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Resolving www.rfxnetworks.com… 129.121.132.46
Connecting to www.rfxnetworks.com|129.121.132.46|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 21541 (21K) [application/x-gzip]
Saving to: “bfd-current.tar.gz”
100%[======================================>] 21,541 --.-K/s in 0.1s
2016-08-04 11:06:20 (178 KB/s) - “bfd-current.tar.gz” saved [21541/21541]
[root@myserve opt]# ls
bfd-current.tar.gz epel-release-6-8.noarch.rpm ioncube remi-release-6.rpm
dell improved-ioncube.sh lsi
[root@myserve opt]# tar -xpf bfd-current.tar.gz
[root@myserve opt]# ls
bfd-1.5-2 epel-release-6-8.noarch.rpm lsi
bfd-current.tar.gz improved-ioncube.sh remi-release-6.rpm
dell ioncube
[root@myserve opt]# cd bfd-1.5.2
-bash: cd: bfd-1.5.2: No such file or directory
[root@myserve opt]# cd bfd-1.5-2
[root@myserve bfd-1.5-2]# ls
CHANGELOG cron files install.sh README uninstall.sh
COPYING.GPL cron.daily importconf logrotate.d.bfd stats
[root@myserve bfd-1.5-2]# ./install.sh
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
[root@myserve bfd-1.5-2]# vi /usr/local/bfd/conf.bfd
[root@myserve bfd-1.5-2]# vi /usr/local/bfd/ignore.hosts
[root@myserve bfd-1.5-2]# /usr/local/sbin/bfd -s
Brute Force Detection v1.5-2 <bfd@r-fx.org>
© 1999-2014, R-fx Networks <proj@r-fx.org>
© 2014, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
Aug 4 11:14:04 myserve bfd(9850): processing rule file asterisk_badauth
Aug 4 11:14:04 myserve bfd(9850): processing rule file asterisk_iax
Aug 4 11:14:04 myserve bfd(9850): processing rule file asterisk_nopeer
Aug 4 11:14:04 myserve bfd(9850): processing rule file courier
Aug 4 11:14:04 myserve bfd(9850): processing rule file cpanel
Aug 4 11:14:04 myserve bfd(9850): processing rule file dovecot
Aug 4 11:14:04 myserve bfd(9850): processing rule file exim_authfail
Aug 4 11:14:04 myserve bfd(9850): processing rule file exim_nxuser
Aug 4 11:14:04 myserve bfd(9850): processing rule file modsec
Aug 4 11:14:04 myserve bfd(9850): processing rule file openvpnas
Aug 4 11:14:04 myserve bfd(9850): processing rule file postfix
Aug 4 11:14:04 myserve bfd(9850): processing rule file proftpd
Aug 4 11:14:04 myserve bfd(9850): processing rule file pure-ftpd
Aug 4 11:14:04 myserve bfd(9850): processing rule file rh_imapd
Aug 4 11:14:04 myserve bfd(9850): processing rule file rh_ipop3d
Aug 4 11:14:04 myserve bfd(9850): processing rule file sendmail
Aug 4 11:14:04 myserve bfd(9850): processing rule file sshd
Aug 4 11:14:04 myserve bfd(9850): processing rule file vpopmail
Aug 4 11:14:04 myserve bfd(9850): processing rule file vsftpd
Aug 4 11:14:04 myserve bfd(9850): processing rule file vsftpd2
[root@myserve bfd-1.5-2]#

Hi John,

Thanks so much for the BDF tutorial! I will try and install it on my IW servers.

Hi John,

Already try on one of my server and all seems to be working great with the BDF.

I just have 2 questions:

1- Do you know how is there is any way i can enable automatic updates on BDF? Or do i manually have to check and update when new versions are released?

2- If i change my SSH default port from 22 to another like for example: 53645, will i need to change any setting on the BDF? Or the BDF will automatic monitor for brute-force attacks on the new SSH port?

Thanks

Hi Nqservices
Many thanks, and glad its working for you
No, BFD does not autoupdate, but in reality, there is no real need for update for the program. You can periodically check rfx website, but please do not be surprised if no update is available.
Yes, if you change any ports used for services, you would need to change the rule name to correct port you changed to, then restart BFD
eg ssh port changed to 5442, current ssh rule for BFD uses port 22, so you edit SSH rule, change the port from 22 to 5442, save and restart BFD
You can add or edit any of the BFD rules, Justec created a lovley rule for WP, but you may need to read further about rules, in order you understand them, and please remember to test any new rules on a test server first.
If you do create any new rule, you may want to share them with IW forums, so it may help others
I hope that helps
Many thanks
John

Hi John,

Thanks for the information. Can you share how you did the rule for WP admin?

Also it would be nice a rule for the NodeWorx login page, what do you think?

I will investigate more about this from my end.

Thanks

Hi nqservices

Many thanks and I’ll look up justec post over wp admin and post link tommorow or you can search the forum

Yes, probably a good idea for that rule, but please remember most attackers attack more then 1 service, so is usually caught

Many thanks

John

Hi nqservices

Sorry, please see justec thread

Many thanks

John

BFD Custom Rule to check apache logs for Wordpress failed logins

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“100”

file must exist for rule to be active

REQ="/home/site/var/site.org/logs/transfer.log"

if [ -f “$REQ” ]; then

LP="/home/site/var/site.org/logs/transfer.log"

TLOG_TF=“site-httpd”

HTTPD

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E 'POST /wp-login.php HTTP/1.0" 404' | awk '{print$1}'

fi

This is what I have put in for a single site as a test. For REQ I just made the same as the logfile, so as long as the log exist, it will scan it.

So basically the script looks for the wp-login.php 404 and if it finds it then prints (returns) the first column which is the IP address.

https://r.tapatalk.com/shareLink?url=http%3A%2F%2Fforums.interworx.com%2Fshowpost.php%3Fp%3D26528&share_tid=8156&share_fid=64132&share_type=t&share_pid=26528