Secure AXIGEN against brute-force with Fail2Ban [Linux]

Per-Olof Olofsson

How to install and configure Fail2ban to integrate with Axigen

Here’s how you can enable the Fail2Ban Linux integration in Axigen for increased brute-force attack protection.

1. Enable Security Log in Axigen using the below CLI commands

CLI Commands to enable Security Log
<#> config server
<server#> config log
<server-log#> set enableSecurityLog yes
<server-log#> commit
<server#> commit
<#> save config
<#> quit
Restart the Axigen service
/etc/init.d/axigen restart

2. Install Fail2Ban using your OS package-management utility

For CentOS / RedHat

Install the Epel repository

yum install epel-release

Install fail2ban

yum install fail2ban
For Ubuntu / Debian

Install fail2ban

sudo apt install fail2ban

3. Create the “axigen.conf” file in /etc/fail2ban/filter.d folder and add the below configuration

# Fail2Ban filter for axigen
#
# Revision: 2016040601
#
# If you want to protect Axigen from being bruteforced by password
# authentication then configure enableSecurityLog = yes in axigen.cfg
# and reload configuration.
#
# Log file: ${AXIGEN_WORK_DIR}/log/security.txt
# Log example: 2016-03-08 12:41:29 +0200 02 aximon SECURITY:PROXY_WEBMAIL;0002607C;82.36.25.70;61707;OP_FAIL;root@q.me;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0;Authentication error; Invalid password
#
#
# Notes:
# * Feature introduced by Axigen version 9.0
# * Axigen 9 default separator was ':'
# * Axigen 10 default separator switched to ';' (due to IPv6 address format)
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = axigen
failregex = ^%(__prefix_line)s.* SECURITY:[A-Z3_\-]+[:;][0-9A-F]+[:;]<HOST>[:;][0-9]+[:;]OP_FAIL[:;].*$
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

4. Edit the /etc/fail2ban/jail.d/jail.local file and add in the end the following lines

/etc/fail2ban/jail.d/jail.local
[axigen]
enabled = true
backend = polling
logpath = /var/opt/axigen/log/security.txt
banaction = iptables-allports
maxretry = 10
findtime = 600
bantime = 600

Create the file /etc/fail2ban/jail.d/jail.local if it doesn’t exist.

If the security log file (security.txt) is not in the default location change the value of logpath with the correct one.

5. Add the trusted IP(s) to ignore list – whitelist

To avoid admin lockout, you may add your IP to the ignore list in /etc/fail2ban/jail.conf config file:

# “ignoreip” can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 192.168.1.10 192.168.2.0/24

6. Enable and start the fail2ban service

systemctl enable fail2ban
systemctl start fail2ban

7. Check the list of banned IPs

fail2ban-client status <JAIL_NAME>

Example:

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.4.145

8. Unban an IP address

fail2ban-client set <YOUR_JAIL_NAME> unbanip <IP_ADDRESS>

Example:

# fail2ban-client set axigen unbanip 192.168.4.145

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:

 

 

From https://www.axigen.com/articles/fail2ban-linux-brute-force-attack-protection_82.html