Hi Chris, It certainly is. Attached are samples of my iptables-restore and fail2ban configs for hardy-based servers. My iptables config creates the fail2ban-ssh chain, so I've changed the iptables-multiport fail2ban action so that it doesn't. And I prefer that fail2ban only block NEW ssh sessions, not all existing, when it blocks an IP (good when I'm logged in and another staff person screws up logging in 5 times).
Regards, Tyler On Wednesday 09 June 2010 23:57:47 Chris Rowson wrote: > Hi folks, > > I've been experimenting with using fail2ban to protect Internet facing > servers. > > I was wondering if it is possible to implement your own iptables rules > alongside fail2ban. For instance, I'd probably want to set up an > iptables rule that drops any inbound traffic not going to ICMP, HTTP, > HTTPS or SSH. > > Does anyone know if it's possible to use your own rules alongside fail2ban? > > Cheers, > > Chris > -- "Political language - and with variations this is true of all political parties, from Conservatives to Anarchists - is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind." -- George Orwell
# Fail2Ban configuration file # # 2008-07-31 tyler - modified for Talia use. # Talia firewalls already have fail2ban chains and call them in the # appropriate order. [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # # not needed because our local firewall setup ensures chain exists #actionstart = iptables -A fail2ban-<name> -j RETURN actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -F fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # not needed because our local firewall setup ensures sane environment # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] # Defaut name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp
# 2008-07-24 tyler - customised Fail2Ban jail configuration file # # Changes here override defaults in jail.conf. However, that file # may be replaced during upgrade. [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 6 banaction = iptables-multiport protocol = tcp action = %(action_)s # All servers ban SSH. [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log # Enable the following on public mail servers only. # Covers both POP/IMAP and webmail cracking. # For web mail failures [pam-generic] enabled = false filter = pam-generic port = http,https logpath = /var/log/auth.log [courierauth] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log
# Generated by hand *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] :fail2ban-ssh - [0:0] # Accept all loopback traffic -A INPUT -i lo -j ACCEPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-ssh -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,25,80,443,465,587,993,995 COMMIT # Completed on Fri May 5 10:23:01 BST 2006
-- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
