Fail2ban Setup and questions

[factor]

@floyd @eva2000 or others that use fail2ban.
@eva2000 I included you since I have been reading your work over in CM forum. Wondered if it migrated into your DA server as well?

If you use fail2ban do you turn off BFM in DA?
Are you supplementing BFM with Fail2ban?
Since you can integrate fail2ban with CSF do you turn off LDF as well?

Seems you would want to turn off LDF and BFM since they are all similar in function.

I know some use only CSF and LDF. I have to so not looking for a CSF is better dialog. Looking at other methods and why others use these other methods.

 

[eva2000]

I only use CSF on my servers. So IIRC, BFM is disabled to let CSF's LFD handle it all = fewer differences to account for

I only limit fail2ban usage to HTTP requests so for 80/443 ports. CSF LFD handles all the other ports/services. But haven't used fail2ban on my DA yet.

 

[Richard G]

BFM is disabled to let CSF's LFD handle it all

How do you have CSF protect DA brute-force logins in that case? Because as far as I know, CSF can check Exim but does not check DA logins. Or do you use a custom regexp for it or some other way?

 

[factor]

I only use CSF on my servers.

You mean DA right. I noticed on CM you have CSF and Fail2ban.

IIRC

?

I only limit fail2ban usage to HTTP requests so for 80/443 ports.

So in general you only use it for web related stuff like bots, worpress and others. Not FTP, SQL, SSH and so on..

does not check DA logins.

fail2ban can monitor port 2222 and DA login logs. Its built into Fail2ban.

 

[factor]

fail2ban on my DA yet.

I am testing it now.

 

[Richard G]

fail2ban can monitor port 2222 and DA login logs. Its built into Fail2ban.

I know, but he said he didn't use fail2ban on his DA machines.
As far as I understood, the line about the http requests is used for non-DA machines, hence my question.

 

[factor]

requests is used for non-DA machines

For sure I wasnt sure either. I just figured you wondered if it would work on DA.

 

[Richard G]

I just figured you wondered if it would work on DA.

No I only wondered on how CSF would be able to protect DA bruteforce logins with DA's BMF disabled and my assumption/conclusion that fail2ban is not installed on DA.

 

[factor]

No I only wondered on how CSF would be able to protect DA bruteforce logins

isnt it this
[*]Enable login failure detection of DirectAdmin connections
This option also detects login failures on DA for Roundcube, SquirrelMail and
phpMyAdmin if installed and logging enabled via CustomBuild v2+

If you do not want to scan for one or more of DIRECTADMIN_LOG_*, simply set
the respective option to ""
LF_DIRECTADMIN =
LF_DIRECTADMIN_PERM =

 

[Richard G]

Ah didn't know that one yet. Maybe added over the years or I overlooked it. Nice.
In that case I could also maybe disable BFM from DA... however....

and logging enabled via CustomBuild v2+

any clue what that means?

 

[factor]

clue what that means?

I assume it the items under OS specific

DIRECTADMIN_LOG = (restricted UI item)

DIRECTADMIN_LOG_R = (restricted UI item)

DIRECTADMIN_LOG_S = (restricted UI item)

DIRECTADMIN_LOG_P = (restricted UI item)

PORTS_imapd = (restricted UI item)

PORTS_bind = (restricted UI item)

PORTS_ftpd = (restricted UI item)

PORTS_smtpauth = (restricted UI item)

PORTS_eximsyntax = (restricted UI item)

PORTS_directadmin = (restricted UI item)

This list is replaced, if present, by "Port" definitions in
/etc/ssh/sshd_config

PORTS_sshd = (restricted UI item)


This configuration is for use with generic Linux servers, do not change the
following settings:

GENERIC = (restricted UI item)

DIRECTADMIN = (restricted UI item)

 

[Richard G]

I assume it the items under OS specific

That's in CSF but it sais:

and logging enabled via CustomBuild v2+

So I presume some logging must be enabled in Custombuild v2+ some how.
However I presume logging is enabled by default as all the logfiles mentioned exist already.

 

[eva2000]

You mean DA right. I noticed on CM you have CSF and Fail2ban.

Yeah on CM as there is no admin GUI there's nothing to protect other than SSH access and have CSF + fail2ban fine. For DirectAdmin, just checked at https://docs.directadmin.com/operation-system-level/securing/csf/csf.html and https://docs.directadmin.com/directadmin/general-usage/securing-with-bfm.html you can use BFM + CSF + LFD together since DirectAdmin 1.61+

The Brute Force Monitor has since come along way from its original implementation to include the ability to enable the following features (in addition to its ability to protect the DirectAdmin login from bruteforce attacks):

• direct CSF firewall integration for blocking bruteforcing IPs (implemented in DA version 1.61.0)
• scanning for WordPressattacks, including:
  • xmlrpc.php
  • wp-login.php
• scanning service logs, such as:
  • Apache
  • Dovecot
  • Exim
  • ProFTPD/Pure-FTPd
  • SSHd
  • Roundcube
  • SquirrelMail
  • PHPMyAdmin
• the ability to truncate its own logs
• the ability to send bruteforce attack notifications
  • via the message system
  • via email
    • one can specify the email to send notifications to
• whitelists/blacklists
• hook scripts

#Enabling CSF & BFM during a fresh installation​

If installation isn't customized to disable CSF, it will result in both CSF and BFM being enabled and configured automatically to work in tandem upon successful completion of the installation script.

​

Enabling and Configuring DirectAdmin's Brute Force Monitor with IP blocking capabilities​

First, you should consider a firewall to actually block the attacker IPs. CSF is recommended for this as DirectAdmin integrates with it so nicely. Additionally, CSF/LFD consists of 2 components, one of which is the Login Failure Daemon. Thus, by enabling CSF/LFD, you will have yet another layer of protection to combat bruteforce attacks against your services.

You can install CSF during a fresh installation or for existing servers. Instructions for both situations are outlined below

 

[Richard G]

I still don't understand the benefit of using both.
What can Fail2ban do what DA and CSF can't do?

 

[factor]

What can Fail2ban do

Not totally sure myself yet.
Fail2ban is more granular than LDF or BFM.
I can set individual ban times and retries (counts) for each service
Example in ssh
Bantime = 2w
maxretry = 2
but for
wordpress-xmlrpc
Bantime = 2d
maxretry = 1

it also has it own log fail2ban.log
which you can also look for frequent bad actors over a month
and ban them longer
Bantime = 1y
findtime = 30d

Where as csf and BFM cant be configured granularly. It only a handful of settings. I like CSF it works really well. I am just experimenting and learning..

 

[Richard G]

Well CSF also has a bunch of settings which you can configure individual, including SSH.
And you can also set a ban for a year if you want.
And amount of times of try before ban is set.
And it has it's own logfile.

It does however have not a special log for wordpress-xmlrpc but this is fixed with a custom regexp. So i still don't see a benefit for Fail2ban against something which CSF could not do.

 

[factor]

benefit for Fail2ban

totally get it.. I am just learning stuff..

 

[Richard G]

Yes me too, that's why I'm curious about it. One can always learn something.

 

[kristian]

I've not dived deep into customization of CSF/LFD, but in general I'd be careful about having two different pieces of software both trying to modify a firewall. I'd stick with CSF/LFD if you already have that, and if there's a specific thing that doesn't work as you want, then maybe consider fail2ban as an addition, assuming the two can play nice together.

 

[Richard G]

That's the advise I also always give. Stick with CSF/LFD since fail2ben can do less and I doubt there is anything fail2ban can do which csf/lfd can't hence my questions and curiosity if there might be something I'm overlooking.