Fail2ban for Opsview Monitor – marsh.network blog

This guide will show you a very quick and dirty way to use Fail2ban to prevent brute-force attacks on your Opsview Monitor 5.0 server. This should work the same for Opsview 4.x servers, but I havent tested it.

Fail2ban, for those who arent familiar, is “an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.” (src: https://help.ubuntu.com/community/Fail2ban).

Firstly, install fail2ban. In my example I am using Ubuntu 14.04, so simply:

apt-get install fail2ban

Next, go to the fail2ban directory and create the opsview ‘filter’:

cd /etc/fail2ban/filter.d/
nano opsview.conf

Within here, copy and paste the following:

[Definition]
failregex = Unsuccessful login: .*, from <HOST>

This is a simple regex that filters for the source IP of the ‘hacker’, using the standard syslog message left in opsview- web.log. Example message below:

[2016/01/11 15:51:47] [Opsview.Web.Controller.Root] [WARN] Unsuccessful login: mrhacks, from 134.225.2.12, via web - Authentication ticket found, but user does not exist

Next, lets tell fail2ban to actually use this rule. Create a new file called ‘/etc/fail2ban/jail.local’ and add the following:

[opsview]
enabled = true
filter = opsview
port = https
logpath = /var/log/opsview/opsview-web.log
maxretry = 6

Obviously, if you arent using https then change this to ‘http’. Next, modify /etc/fail2ban/jail.conf and modify the line

backend = auto

backend = polling

Finally, Simply start fail2ban using the command:

service fail2ban restart

You can view the ‘jail’ by running the script here: https://gist.github.com/kamermans/1076290 . Simply clone this file, chmod +x and then run, as below:

git clone https://gist.github.com/kamermans/1076290
cd 1076290
chmod +x fail2ban-allstatus.sh
./fail2ban-allstatus.sh

This will give an output similar to:

Status for the jail: opsview
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/opsview/opsview-web.log
`- Actions
 |- Currently banned: 0
 |- Total banned: 0
 `- Banned IP list:

Now, go and try and brute force 10-15 times and see what happens when you run the command above again:

root@server:/tmp/1076290# ./fail2ban-allstatus.sh
Status for the jail: opsview
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/log/opsview/opsview-web.log
`- Actions
 |- Currently banned: 1
 |- Total banned: 1
 `- Banned IP list: 134.225.2.12

Here you can see that 10 failed attempts have been made, and an IP address has now been banned from trying to login. To prove this, run the iptables command below:

root@server:/tmp/1076290# iptables -nL f2b-opsview
Chain f2b-opsview (1 references)
target prot opt source destination
REJECT all -- 134.225.2.12 0.0.0.0/0 reject-with icmp-port-unreachable

To unblock an IP address, simply run the command:

fail2ban-client set opsview unbanip 134.225.2.12

Sorted. Now, go forth and fail2ban!

Press ESC to close

Share Article:

sam

Multiple SSL-enabled websites with Apache

Fail2ban for Owncloud: Brute force prevention and alerting

Leave a Reply Cancel reply