Cluster Security Monitoring Tools

From DISI
Jump to navigation Jump to search

Check and see if sendmail already exists in /etc/rc.d/init.d/ already.

# Only if sendmail is not already installed
yum install logwatch fail2ban sendmail 
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
vim /usr/share/logwatch/default.conf/logwatch.conf
       Change "Print=" to "Print=No"
       Make sure that "MailTo=root" and "range=yesterday"
       exit
echo "logwatch@blur.compbio.ucsf.edu" > /root/.forward
service sendmail start
logwatch
       Check to see if you got an email from logwatch. If not, type:
       logwatch --mailto logwatch@blur.compbio.ucsf.edu
chkconfig --levels=345 sendmail on
chkconfig --levels=345 logwatch on

FAIL2BAN

If fail2ban is not already in the yum repository: FOR CENTOS 5.X:

               cd /etc/yum.repos.d/
               wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
               rpm -Uvh epel-release-5-4.noarch.rpm
               yum update

FOR CENTOS 6.X:

               cd /etc/yum.repos.d/
               wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
               rpm -Uvh epel-release-6-8.noarch.rpm
               yum update

FOR CENTOS 6.X and 5.X:

cd /etc/fail2ban
cp jail.conf jail.local
vim jail.local
       

FOR TORONTO:

       ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.10.0.0/16
       FOR SF:
       ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.0.0.0/16 10.100.0.0/16 10.10.0.0/16
       bantime = 6000000000
       findtime = 3600
       maxretry = 5
       backend = polling
       Under the "[ssh-iptables]" label:
       Make sure that enabled = true
       For the "action" variable, make sure you change the sender to
       sender=fail2ban@whatever_the_hostname_is_.uoft.bkslab.org

To get rid of the annoying messages that get printed to the console:

vim /etc/fail2ban/fail2ban.conf
logtarget = /var/log/secure
service fail2ban start
chkconfig --levels=345 fail2ban on


COMMON COMMANDS FOR FAIL2BAN

Ask users to get their IP Address from this website (top left corner): http://blaster.docking.org/cgi-bin/myquotas.pl

To ignore a single IP address

fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX

To remove IP address from ignore list

fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX

To unban a single ip address:

fail2ban-client set ssh-iptables unbanip x.y.z.w

To ban a single ip address:

fail2ban-client set ssh-iptables banip x.y.z.w

To see a list of ip addresses that are in jail:

iptables -L -n