digitalFAQ.com Forum

digitalFAQ.com Forum (https://www.digitalfaq.com/forum/)
-   Web Hosting (https://www.digitalfaq.com/forum/web-hosting/)
-   -   Install fail2ban with CSF/LFD in cPanel; sample jail.conf config file (https://www.digitalfaq.com/forum/web-hosting/5115-install-fail2ban-csf.html)

kpmedia 04-19-2013 07:53 PM
Install fail2ban with CSF/LFD in cPanel; sample jail.conf config file
 
Below is an annotated jail.conf file for use on a cPanel server with the CSF firewall installed. This file is correct for most servers, but the comments have been included here for advanced users and the curious.

Important: This jail.conf is confirmed to work, unlike the one available by default in the RPMforge repositories.

Notice that [apache-tcpwrapper], [apache-badbots] and [php-url-fopen] are still set to false. I'm currently testing those, to see how well these work with cPanel. Most of the settings available by default were going to conflict with CSF/LFD, and were thus removed to prevent accidentally being enabled. Only the [wordpress] is set to true -- and that the jail/filter for blocking WordPress brute logins.

See the full guides for installing fail2ban on a cPanel, DirectAdmin or Virtualmin server at:
Here's the jail.conf file...
Quote:
# Fail2Ban jail specifications file

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 21600
findtime = 600
maxretry = 10

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn

destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action = %(action_)s

# JAILS

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http
maxretry = 10

[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.


seriesn 04-19-2013 10:17 PM
From my recent experiences and penetration tests, I found out that DenyHost works better and more simple to use than Fail2ban and Fail2ban fails at some of the most unexpected time.

kpmedia 04-20-2013 04:32 AM
Quote:
Originally Posted by seriesn (Post 26250)
From my recent experiences and penetration tests, I found out that DenyHost works better and more simple to use than Fail2ban and Fail2ban fails at some of the most unexpected time.
The only time I've seen fail2ban fail is when the server is underpowered*. :depressed:

The primary reason for installing it on a cPanel (or DirectAdmin or Virtualmin) server is so that it can block brute force attempts on WordPress or Exim. Otherwise there's really no reason to install it.

It would be nice if DenyHosts could be used here, too -- especially since there are supposedly ways to also make it run under Windows. (See method here.) There's a WordPress plugin named "DenyHosts", but it has to do with the DenyHosts service. It's just one of those useless plugins that claims to "block" brute force traffic, but really does not.

Sadly, there's no port for fail2ban for Windows, as it would be quite popular. We have RdpGuard, but it doesn't work with applications like WordPress -- just RDP and SQL server.


* Note: As we mentioned in the guides, get a good VPS from somebody like EuroVPS or Ninja Hawk. Get a VPS with at least 1GB of RAM, and you'll be fine. That's really the minimum recommended for a cPanel server anyway. If you're using Virtualmin or DirectAdmin, the panel uses less RAM, but 1GB is still recommended because of the services -- mail, anti-spam, firewalls, etc.

seriesn 04-20-2013 09:02 PM
Correct me if I am wrong, but doesn't cpanels built in bruteforce (cphulk) protector and csf do pretty much the same thing?

kpmedia 04-20-2013 10:04 PM
Nope, it's not the same. I wrote this on WHT last year:

Quote:
cPHulk stops accepting logins after too many fails. The malcontent can still connect to the server, however. It's only an application level firewall. CSF/LFD is a server firewall, and disallows connections after too many failed login attempts. They won't even get a failure, just the electronic middle finger (go away!).
Put "fail2ban" in place of "CSF/LFD". Same thing.

seriesn 04-21-2013 08:50 PM
Ahh, I see. Well, that was nice to know. Regardless the facts, after implementing firewalls and denyhosts, my final step is to lock everything to limited IP and can only be accessible of company VPN.

byebyegt1 06-12-2013 07:45 AM
Followed the guide to install failtoban and have also used your example jail.conf file above since i am running cpanel with csf and wordpress. The only part i cannot find some ood advice on is the setting up of the /etc/fail2ban/filter.d files. You mention in the guide to refer to additional guides on The Digital FAQ or elsewhere. Can you suggest a configuration or guide to follow that will work with the jail.conf file given above?

Thanks for the step by step install though, it was very easy to follow and i liked the explanations of what i was doing unlike some guides.

Cheers

kpmedia 12-31-2013 12:33 AM
Quote:
Originally Posted by byebyegt1 (Post 26726)
The only part i cannot find some ood advice on is the setting up of the /etc/fail2ban/filter.d files. You mention in the guide to refer to additional guides on The Digital FAQ or elsewhere. Can you suggest a configuration or guide to follow that will work with the jail.conf file given above?
The content of the /etc/fail2ban/filter.d/wordpress.conf file is:

Code:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from common.local
before = common.conf

[Definition]
_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =
Quote:
Thanks for the step by step install though, it was very easy to follow and i liked the explanations of what i was doing unlike some guides.
Glad to hear it was easy to follow. Somehow you're post had gotten by us earlier this year. :unsure:


This was an unanswered question or unresolved issue found during a site audit. It's hard to have an FAQ when the answers are missing, or final outcomes are unknown. At The Digital FAQ support forum, questions are never intentionally ignored, and may have been missed due to a forum glitch or human error. More details on the audit. (In some cases, threads have been edited/updated with newer information.)

kpmedia 02-06-2014 07:22 AM
An update for this is being discussed at: http://www.digitalfaq.com/forum/web-...-blocking.html
Read that too!


All times are GMT -5. The time now is 01:43 AM

Site design, images and content © 2002-2026 The Digital FAQ, www.digitalFAQ.com
Forum Software by vBulletin · Copyright © 2026 Jelsoft Enterprises Ltd.