Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

per minute correct?

Sorry for the trouble George

Any command to clear all "Added by Fail2Ban" entries from /etc/csf/csf.deny ?

I just try:

Code:

sed '/Added by Fail2Ban/d' /etc/csf/csf.deny

but it didn't work

---

Thank you

 

One last question:

Did you test the mail function when is banning a user if it works or should i look around to configure it myself?

for example this one:

Code:

sendmail-whois[name=xmlrpc, dest=root]

Thank you

 

Sorry to write. But I have not read the 6 pages with comments.
Why use CSF and Fail2ban at the same time?

CSF does use a Daemon process that checks for login authentication failures for, just like Fail2ban.
Also you could block bad hosts or bots just like Fail2ban.

Is it because of the ability to add own filters/jails to Fail2ban?
So you could create an ideal mix between both.

 

After testing it better now I want say that it works great and the way that it works with csf and Cloudflare is amazing!!!

Also it is very easy to add a custom rule ....

Thanks George !!!!

 

That's all info that i collect around for the mail function:

Code:

sendmail-whois[name=SSH, dest=root, sender=fail2ban@domain.com]

change at config:

Code:

action = %(action_)s

to

Code:

action = %(action_mwl)s

or

Code:

action = %(action_mw)s

You will also need to adjust the action setting, which defines what actions occur when the threshold for ban is met.
The default, %(action_)s, only bans the user. %(action_mw)s will ban and send an email with a WhoIs report; while %(action_mwl)s
will ban and send an email with the WhoIs report and all relevant lines in the log file.

You should change

Code:

mta = sendmail

to

Code:

mta = mail

But today i don't have time to test it

Don't know if you can see anything wrong on that info that will not work with Centminmod setup and postifix so i can avoid that parameter .... ?

 

Ok i got a few minutes to test it

So email function is not working on default installation setup.

I was able to fix this by editing:

Code:

/etc/fail2ban/jail.local

and i add on top at the defaults settings this:

Code:

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
#mta = sendmail
mta = mail

Then i use this line for the email alert:

Code:

mail-whois[name=JailName, dest=myemail@gmail.com, sender=fail2ban@mydomain.com]

Then after restarting fail2ban i was able to get email notifications

The only issues that it has now is:

1)Email title has:

Code:

from localhost.localdomain

Don't know how to set that to hostname

2)In the email there is a warning for missing whois software:

Code:

missing whois program

I did try to install it like: yum install whois

but it doesn't locate it so it can use it

I also try yum install jwhois and got:

Code:

[Querying whois.ripe.net]
[Unable to connect to remote host]
missing whois program

If you can fix those two issues it will be great !!!!!!

Thank you

 

Until you got some time to do your checks for the two above issues i think it will be good to do some edits that will help a lot...

So i want to recommend

Add at /etc/fail2ban/jail.local defaults on top (with some comments maybe):

Code:

mta = mail
dest=myemail@gmail.com
sender=fail2ban@mydomain.com

and on the same file at all jail rules on bottom of the action option this:

Code:

mail[name=SSH, dest=what the user has set on top of the file, sender=what the user has set on top of the file]

Like this:

action = csfdeny[name=http-xensec]

Code:

mail[name=SSH, dest=what the user has set on top of the file, sender=what the user has set on top of the file]

But all those lines under the action must be commented and the user must enable which one he want to

 

Also how can i totally disable startup for fail2ban as when i stop it after the server restart it is up and running ....?

 

That's the info that i found that may help with the hostname on email subject:

Code:

https://github.com/fail2ban/fail2ban/issues/1653
https://github.com/fail2ban/fail2ban/issues/1859
https://blog.pregos.info/2014/05/10/fail2ban-hostname-im-subject-emails-vom-01-01-1970/

One of them has a related fix at the latest 0.11 ....Don't know if that's the issue now ....

Hope that help....

 

In case that i change my mind and i don't want to use it any more.....So if i just stop it then after restart it will auto start and i will not even remember that

I will wait for your edits/fixes

Thank you !!!

 

After checking a bit the Nginx get f5 option i think we can re enable it as default but with a higher value at 25 - 30

So if you want re enable it as default please with a higher value as it may be useful ....

Thank you

 

I just try to install it on a new server and failed

Code:

CentOS Linux release 7.3.1611 (Core) - Dedicated server

Code:

mkdir -p /root/tools
cd /root/tools
git clone https://github.com/centminmod/centminmod-fail2ban
cd centminmod-fail2ban
./fail2ban.sh install

Error at the installation:

Code:

cp: cannot stat ‘/svr-setup/fail2ban/files/fail2ban.service’: No such file or directory

and at the end:

Code:

Failed to stop fail2ban.service: Unit fail2ban.service not loaded.
Failed to start fail2ban.service: Unit not found.
Failed to execute operation: No such file or directory

Unit fail2ban.service could not be found.

 Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?

It looks like that the automated setup is missing some commands from the manual installation instructions... ?

 

Yup

The first time i was run first the manual installation commands so i didn't have that issue....

Now that i try it on the second server using the automated way only i got that issue