Doesnt work, on our Server Linux/Deabian
we goes s 23h DDoSed from 24h xD
is installed as the "HowTo" is
what for settings u need to see if all ok?
fail2ban.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 412 $
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR.
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communication with the
# daemon.
# Values: FILE Default: /tmp/fail2ban.sock
#
socket = /tmp/fail2ban.sock
jail.conf
Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <[email protected]>
#
# $Revision: 281 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local
# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois[name=%(__name__)s, dest=%(destemail)s]
# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
[apache-noscript]
enabled = true
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
#
# FTP servers
#
[vsftpd]
enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6
[proftpd]
enabled = true
port = ftp
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = true
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = true
port = smtp
filter = postfix
logpath = /var/log/postfix.log
[couriersmtp]
enabled = true
port = smtp
filter = couriersmtp
logpath = /var/log/mail.log
[sasl]
enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
[ddos]
enabled = true
port = 27015,27025,27045,27050,27055,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
#action = iptables-multiport[name=ddos, port=27015,27025,27045,27050,27055,28000,29000, protocol=udp]
27015,27025,27045,27050,27055 thats our Counter Strike Source Ports
27015,27045 gets always DDoS
filter.d/
ddos.conf
Code:
[Definition]
failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
zBlock works fine, but we can add it.
we have a Zombieserver and zBlock doesnt work with Zombiemod.
it crash always the server.