Quantcast Install fail2ban with CSF/LFD in cPanel; sample jail.conf config file - digitalFAQ Forum
Go Back    Forum > Digital Publishing / Web Sites > Web Hosting Tutorials > SSH for VPS/Dedicated (CLI)

Reply
 
LinkBack Thread Tools
  #1  
04-19-2013, 07:53 PM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
Below is an annotated jail.conf file for use on a cPanel server with the CSF firewall installed. This file is correct for most servers, but the comments have been included here for advanced users and the curious.

Important: This jail.conf is confirmed to work, unlike the one available by default in the RPMforge repositories.

Notice that [apache-tcpwrapper], [apache-badbots] and [php-url-fopen] are still set to false. I'm currently testing those, to see how well these work with cPanel. Most of the settings available by default were going to conflict with CSF/LFD, and were thus removed to prevent accidentally being enabled. Only the [wordpress] is set to true -- and that the jail/filter for blocking WordPress brute logins.

See the full guides for installing fail2ban on a cPanel, DirectAdmin or Virtualmin server at:
Here's the jail.conf file...
Quote:
# Fail2Ban jail specifications file

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 21600
findtime = 600
maxretry = 10

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn

destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action = %(action_)s

# JAILS

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http
maxretry = 10

[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.


- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
04-19-2013, 10:17 PM
seriesn seriesn is offline
Free Member
 
Join Date: Jul 2012
Posts: 33
Thanked 2 Times in 2 Posts
From my recent experiences and penetration tests, I found out that DenyHost works better and more simple to use than Fail2ban and Fail2ban fails at some of the most unexpected time.
Reply With Quote
  #3  
04-20-2013, 04:32 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
Quote:
Originally Posted by seriesn View Post
From my recent experiences and penetration tests, I found out that DenyHost works better and more simple to use than Fail2ban and Fail2ban fails at some of the most unexpected time.
The only time I've seen fail2ban fail is when the server is underpowered*.

The primary reason for installing it on a cPanel (or DirectAdmin or Virtualmin) server is so that it can block brute force attempts on WordPress or Exim. Otherwise there's really no reason to install it.

It would be nice if DenyHosts could be used here, too -- especially since there are supposedly ways to also make it run under Windows. (See method here.) There's a WordPress plugin named "DenyHosts", but it has to do with the DenyHosts service. It's just one of those useless plugins that claims to "block" brute force traffic, but really does not.

Sadly, there's no port for fail2ban for Windows, as it would be quite popular. We have RdpGuard, but it doesn't work with applications like WordPress -- just RDP and SQL server.


* Note: As we mentioned in the guides, get a good VPS from somebody like EuroVPS or Ninja Hawk. Get a VPS with at least 1GB of RAM, and you'll be fine. That's really the minimum recommended for a cPanel server anyway. If you're using Virtualmin or DirectAdmin, the panel uses less RAM, but 1GB is still recommended because of the services -- mail, anti-spam, firewalls, etc.

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #4  
04-20-2013, 09:02 PM
seriesn seriesn is offline
Free Member
 
Join Date: Jul 2012
Posts: 33
Thanked 2 Times in 2 Posts
Correct me if I am wrong, but doesn't cpanels built in bruteforce (cphulk) protector and csf do pretty much the same thing?
Reply With Quote
  #5  
04-20-2013, 10:04 PM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
Nope, it's not the same. I wrote this on WHT last year:

Quote:
cPHulk stops accepting logins after too many fails. The malcontent can still connect to the server, however. It's only an application level firewall. CSF/LFD is a server firewall, and disallows connections after too many failed login attempts. They won't even get a failure, just the electronic middle finger (go away!).
Put "fail2ban" in place of "CSF/LFD". Same thing.

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #6  
04-21-2013, 08:50 PM
seriesn seriesn is offline
Free Member
 
Join Date: Jul 2012
Posts: 33
Thanked 2 Times in 2 Posts
Ahh, I see. Well, that was nice to know. Regardless the facts, after implementing firewalls and denyhosts, my final step is to lock everything to limited IP and can only be accessible of company VPN.
Reply With Quote
  #7  
06-12-2013, 07:45 AM
byebyegt1 byebyegt1 is offline
Free Member
 
Join Date: Jun 2013
Posts: 1
Thanked 0 Times in 0 Posts
Followed the guide to install failtoban and have also used your example jail.conf file above since i am running cpanel with csf and wordpress. The only part i cannot find some ood advice on is the setting up of the /etc/fail2ban/filter.d files. You mention in the guide to refer to additional guides on The Digital FAQ or elsewhere. Can you suggest a configuration or guide to follow that will work with the jail.conf file given above?

Thanks for the step by step install though, it was very easy to follow and i liked the explanations of what i was doing unlike some guides.

Cheers
Reply With Quote
  #8  
12-31-2013, 12:33 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
Quote:
Originally Posted by byebyegt1 View Post
The only part i cannot find some ood advice on is the setting up of the /etc/fail2ban/filter.d files. You mention in the guide to refer to additional guides on The Digital FAQ or elsewhere. Can you suggest a configuration or guide to follow that will work with the jail.conf file given above?
The content of the /etc/fail2ban/filter.d/wordpress.conf file is:

Code:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from common.local
before = common.conf

[Definition]
_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =
Quote:
Thanks for the step by step install though, it was very easy to follow and i liked the explanations of what i was doing unlike some guides.
Glad to hear it was easy to follow. Somehow you're post had gotten by us earlier this year.


This was an unanswered question or unresolved issue found during a site audit. It's hard to have an FAQ when the answers are missing, or final outcomes are unknown. At The Digital FAQ support forum, questions are never intentionally ignored, and may have been missed due to a forum glitch or human error. More details on the audit. (In some cases, threads have been edited/updated with newer information.)


- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #9  
02-06-2014, 07:22 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
An update for this is being discussed at: Fail2ban + CSF for Blocking WordPress Brute Force Attacks?
Read that too!

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
Install phpGD and ImageMagick via SSH on cPanel server? allaboutduncan Website and Server Troubleshooting 2 12-11-2012 10:07 AM
Sample nsd.conf for NSD3 (Linux DNS) VPS configuration kpmedia SSH for VPS/Dedicated (CLI) 0 07-06-2011 04:16 AM
Scanning with ICE vs no ICE [Sample Images] kpmedia Photo Processing, Scanning & Printing 11 03-25-2010 07:33 PM
Another menu sample - thoughts? gwors Author, Make Menus, Slideshows, Burn 2 06-05-2005 09:01 PM

Thread Tools



 
All times are GMT -5. The time now is 08:06 AM