Cluster Security Monitoring Tools: Difference between revisions
Jump to navigation
Jump to search
(Created page based on Lab Manual Section "Cluster Security Monitoring Tools") |
(→COMMON COMMANDS FOR FAIL2BAN: asdf) |
||
| Line 65: | Line 65: | ||
To unban a single ip address: | To unban a single ip address: | ||
fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX | fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX | ||
fail2ban-client set ssh-iptables unban x.y.z.w | |||
To ban a single ip address: | To ban a single ip address: | ||
fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX | fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX | ||
fail2ban-client set ssh-iptables ban x.y.z.w | |||
To see a list of ip addresses that are in jail: | To see a list of ip addresses that are in jail: | ||
Revision as of 19:42, 19 October 2016
Check and see if sendmail already exists in /etc/rc.d/init.d/ already.
# Only if sendmail is not already installed yum install logwatch fail2ban sendmail
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
vim /usr/share/logwatch/default.conf/logwatch.conf
Change "Print=" to "Print=No"
Make sure that "MailTo=root" and "range=yesterday"
exit
echo "logwatch@blur.compbio.ucsf.edu" > /root/.forward
service sendmail start
logwatch
Check to see if you got an email from logwatch. If not, type:
logwatch --mailto logwatch@blur.compbio.ucsf.edu
chkconfig --levels=345 sendmail on
chkconfig --levels=345 logwatch on
FAIL2BAN
If fail2ban is not already in the yum repository: FOR CENTOS 5.X:
cd /etc/yum.repos.d/
wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
yum update
FOR CENTOS 6.X:
cd /etc/yum.repos.d/
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
yum update
FOR CENTOS 6.X and 5.X:
cd /etc/fail2ban
cp jail.conf jail.local
vim jail.local
FOR TORONTO:
ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.10.0.0/16
FOR SF:
ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.0.0.0/16 10.100.0.0/16 10.10.0.0/16
bantime = 6000000000
findtime = 3600
maxretry = 5
backend = polling
Under the "[ssh-iptables]" label:
Make sure that enabled = true
For the "action" variable, make sure you change the sender to
sender=fail2ban@whatever_the_hostname_is_.uoft.bkslab.org
To get rid of the annoying messages that get printed to the console:
vim /etc/fail2ban/fail2ban.conf logtarget = /var/log/secure
service fail2ban start chkconfig --levels=345 fail2ban on
COMMON COMMANDS FOR FAIL2BAN
To unban a single ip address:
fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX
fail2ban-client set ssh-iptables unban x.y.z.w
To ban a single ip address:
fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX
fail2ban-client set ssh-iptables ban x.y.z.w
To see a list of ip addresses that are in jail:
iptables -L -n