Cluster Security Monitoring Tools: Difference between revisions
Jump to navigation
Jump to search
(A few commands were under the wrong description. Reordered and clarified commands) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 62: | Line 62: | ||
==COMMON COMMANDS FOR FAIL2BAN== | ==COMMON COMMANDS FOR FAIL2BAN== | ||
Ask users to get their IP Address from this website (top left corner): http://blaster.docking.org/cgi-bin/myquotas.pl | |||
To | To ignore a single IP address | ||
fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX | |||
To remove IP address from ignore list | |||
fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX | fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX | ||
To unban a single ip address: | |||
fail2ban-client set ssh-iptables unbanip x.y.z.w | fail2ban-client set ssh-iptables unbanip x.y.z.w | ||
To ban a single ip address: | To ban a single ip address: | ||
fail2ban-client set ssh-iptables banip x.y.z.w | fail2ban-client set ssh-iptables banip x.y.z.w | ||
Latest revision as of 19:14, 8 April 2017
Check and see if sendmail already exists in /etc/rc.d/init.d/ already.
# Only if sendmail is not already installed yum install logwatch fail2ban sendmail
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
vim /usr/share/logwatch/default.conf/logwatch.conf
Change "Print=" to "Print=No"
Make sure that "MailTo=root" and "range=yesterday"
exit
echo "logwatch@blur.compbio.ucsf.edu" > /root/.forward
service sendmail start
logwatch
Check to see if you got an email from logwatch. If not, type:
logwatch --mailto logwatch@blur.compbio.ucsf.edu
chkconfig --levels=345 sendmail on
chkconfig --levels=345 logwatch on
FAIL2BAN
If fail2ban is not already in the yum repository: FOR CENTOS 5.X:
cd /etc/yum.repos.d/
wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
yum update
FOR CENTOS 6.X:
cd /etc/yum.repos.d/
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
yum update
FOR CENTOS 6.X and 5.X:
cd /etc/fail2ban
cp jail.conf jail.local
vim jail.local
FOR TORONTO:
ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.10.0.0/16
FOR SF:
ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.0.0.0/16 10.100.0.0/16 10.10.0.0/16
bantime = 6000000000
findtime = 3600
maxretry = 5
backend = polling
Under the "[ssh-iptables]" label:
Make sure that enabled = true
For the "action" variable, make sure you change the sender to
sender=fail2ban@whatever_the_hostname_is_.uoft.bkslab.org
To get rid of the annoying messages that get printed to the console:
vim /etc/fail2ban/fail2ban.conf logtarget = /var/log/secure
service fail2ban start chkconfig --levels=345 fail2ban on
COMMON COMMANDS FOR FAIL2BAN
Ask users to get their IP Address from this website (top left corner): http://blaster.docking.org/cgi-bin/myquotas.pl
To ignore a single IP address
fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX
To remove IP address from ignore list
fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX
To unban a single ip address:
fail2ban-client set ssh-iptables unbanip x.y.z.w
To ban a single ip address:
fail2ban-client set ssh-iptables banip x.y.z.w
To see a list of ip addresses that are in jail:
iptables -L -n