How to protect your cccam server with fail2ban in 4 steps installation

[aamir11]

Hello friends,

If you server slow down or have high network load or high consummation on ram or cpu. You need to jail unwanted peers.
After following modification my server stop to freeze.
My system is Ubuntu server 11.10 32bit, cccam 2.1.3

1. Prepare your system (all commands are started like normal user)

Code:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install fail2ban nano bsd-mailx
$ sudo touch /var/log/cccam.log
$ sudo chmod 755 /var/log/cccam.log

Change cccam options in your cccam start up script to

Quote:

./CCcam.x86 -d > /var/log/cccam.log &

2. Configuration

- run command:

Code:

$ sudo nano /etc/fail2ban/jail.conf

- change

Code:

backend = auto

to

Code:

backend = polling

- after

Code:

# action, port, logpath, etc) in that section within jail.local

add and change 1234 with your cccam port after save and close file.

Code:

[cccam_sign]

enabled = true
port = 1234
filter = cccam_sign
logpath = /var/log/cccam.log
maxretry = 10
bantime = 86400

[cccam_double]

enabled = true
port = 1234
filter = cccam_double
logpath = /var/log/cccam.log
maxretry = 10
bantime = 3600

[cccam_bad]

enabled = true
port = 1234
protocol = tcp
filter = cccam_bad
logpath = /var/log/cccam.log
maxretry = 10
bantime = 1800

[cccam_ill]

enabled = true
port = 1234
filter = cccam_ill
logpath = /var/log/cccam.log
maxretry = 3
bantime = 12000

[cccam_fail]

enabled = true
filter = cccam_fail
action = iptables-allports[name=cccam_fail2ban]
        sendmail-whois[name=cccam_fail2ban]
logpath = /var/log/fail2ban.log
findtime = 604800
bantime = 604800

- run command:

Code:

$ sudo nano /etc/fail2ban/filter.d/cccam_bad.conf

- enter the following content after save and close file.

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = CCcam: kick <HOST>.*, bad command

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

- run command:

Code:

$ sudo nano /etc/fail2ban/filter.d/cccam_double.conf

- enter the following content after save and close file.

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = CCcam: double login .*, \(previous <HOST>\), reject

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

- run command:

Code:

$ sudo nano /etc/fail2ban/filter.d/cccam_fail.conf

- enter the following content after save and close file.

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = fail2ban.actions: WARNING \[(.*)\] Ban <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

- run command:

Code:

$ sudo nano /etc/fail2ban/filter.d/cccam_ill.conf

- enter the following content after save and close file.

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = CCcam: illegal user .* from <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

- run command:

Code:

$ sudo nano /etc/fail2ban/filter.d/cccam_sign.conf

- enter the following content after save and close file.

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = CCcam: kick <HOST>, signature failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

3. Reboot the system.

4. Login into system and make running checks.

- run command:

Code:

$ tail -f /var/log/cccam.log

If you see displayed content so that mean cccam log working well.

- run command:

Code:

$ tail -f /var/log/fail2ban.log

That will display banned ip addresses from fail2ban if you have any unneeded peers.

That is all friends.

Enjoy

[HanaPipers]