Differences

This shows you the differences between two versions of the page.

--- linux:apps:fail2ban [2023/09/05 18:32] – oscar
+++ linux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
@@ Line 276: / Line 276: @@
 ===== Actions =====
-This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**.
+This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**. E.g. the action that our SSH service invokes is called nftables-multiport.
-E.g. the action that our SSH service invokes is called iptables-multiport. Open the associated file now:
-  sudo nano /etc/fail2ban/action.d/iptables-multiport.conf
-With the comments removed, this file looks something like this:
-<code>
-[INCLUDES]
-before = iptables-blocktype.conf
-[Definition]
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actioncheck = iptables -n -L <chain> | grep -a 'fail2ban-<name>[ \t]'
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
-[Init]
-name = default
-port = ssh
-protocol = tcp
-chain = INPUT
-</code>
 ==== Ban IP Range (subnet) ====
 In some cases spammers have several systems infected in a specific subnet. By using different alternating IP nummers in this subnet, they can avoid Fail2Ban detection. In these cases it could be helpful to block a whole subnet range at once.
@@ Line 351: / Line 324: @@
 </code>
 If there is anything wrong with the fail or filter, an error would be reported.
-===== Test Configuration =====
-There are a few ways to verify the configuration and operation of fail2ban:
 ===== Monitor Status =====
-==== IP-tables ====
+There are 2 options to check the current status of jails and banned clients:
-You can look at iptables to see that fail2ban has modified your firewall rules to create a framework for banning clients. Even with no previous firewall rules, you would now have a framework enabled that allows fail2ban to selectively ban clients by adding them to purpose-built chains:
+  - fail2ban-client
-  sudo iptables -S
+  - nft list ruleset
-Output
-<code>
-Output
--P INPUT ACCEPT
--P FORWARD ACCEPT
--P OUTPUT ACCEPT
--N fail2ban-nginx-badbots
--N fail2ban-nginx-http-auth
--N fail2ban-nginx-nohome
--N fail2ban-nginx-noproxy
--N fail2ban-nginx-noscript
--N fail2ban-ssh
--A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-noproxy
--A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-nohome
--A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-badbots
--A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-noscript
--A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
--A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
--A fail2ban-nginx-badbots -j RETURN
--A fail2ban-nginx-http-auth -j RETURN
--A fail2ban-nginx-nohome -j RETURN
--A fail2ban-nginx-noproxy -j RETURN
--A fail2ban-nginx-noscript -j RETURN
--A fail2ban-ssh -j RETURN
-</code>
 ==== fail2ban-client ====
-You can see all of your enabled jails by using the fail2ban-client command:
+You can see an overview of your enabled jails by using the fail2ban-client command. You should see a list of all of the jails you enabled:
-  sudo fail2ban-client status
-You should see a list of all of the jails you enabled:
 <code>
+# fail2ban-client status
+------------------------
 Status
-|- Number of jail:	1
+|- Number of jail:	5
-`- Jail list:	sshd
+`- Jail list:	nextcloud, nginx-bad-request, nginx-botsearch, sshd, www-login-fail
 </code>
 If you want to see the details of the bans being enforced by any one jail, it is probably easier to use the fail2ban-client again:
-  sudo fail2ban-client status nginx-http-auth
-Output
 <code>
-Status for the jail: nginx-http-auth
+# fail2ban-client status www-login-fail
-|- filter
+---------------------------------------
-|  |- File list:        /var/log/nginx/error.log
+Status for the jail: www-login-fail
-|  |- Currently failed: 0
+|- Filter
-|  `- Total failed:     12
+|  |- Currently failed:	0
-`- action
+|  |- Total failed:	3
-   |- Currently banned: 1
+|  `- File list:	/var/log/nginx/error.www.log
-   |  `- IP list:       111.111.111.111
+`- Actions
-   `- Total banned:     1
+   |- Currently banned:	0
+   |- Total banned:	2
+   `- Banned IP list:
 </code>
+==== NFtables ====
+You can look at nftables to see that fail2ban has modified your firewall rules to create a framework for banning clients. Even with no previous firewall rules, you would now have a framework enabled that allows fail2ban to selectively ban clients by adding them to purpose-built chains:
+<code>
+#nft list ruleset
+-----------------
+table inet f2b-table {
+	set addr-set-www-login-fail {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.178.0/24 }
+	}
+	set addr6-set-www-login-fail {
+		type ipv6_addr
+		flags interval
+		elements = { fdaa:66:67::/56 }
+	}
+	chain f2b-chain {
+		type filter hook input priority filter - 1; policy accept;
+		tcp dport { 80, 443 } ip saddr @addr-set-www-login-fail reject with icmp port-unreachable
+		tcp dport { 80, 443 } ip6 saddr @addr6-set-www-login-fail reject with icmpv6 port-unreachable
+	}
+}
+</code>
 ===== Unbanning =====
 you can manually un-ban your IP address with the fail2ban-client by typing:
-  sudo fail2ban-client set nginx-http-auth unbanip 111.111.111.111
+  # fail2ban-client set nginx-http-auth unbanip 111.111.111.111
 Or for unbanning all jails at once:
-  fail2ban-client unban --all
+  # fail2ban-client unban --all
+===== Cleaning =====
+The above unbanning commands will remove the IP's from the nftables firewall, but the rule and table structures will remain in the nfttables firewall. If you want to clean / reset everything:
+  # fail2ban-client stop www-login-fail
+The following command will only clear the nftables structures, but this could lead to errors in jail2bin logs.
+  # nft clear ruleset
 ===== Optional: Setting Up Mail Notifications =====
@@ Line 431: / Line 408: @@
 . . .
 </code>
 ===== NGINX =====
-Default Debian fail2ban installation has the following 3 Nginx jails:
+We enables the following 2 default Debian fail2ban installation jails for Nginx:
-  * **nginx-botsearch.conf**: filter to match web requests for selected URLs that don't exist
+  * **nginx-bad-request.conf**: filter to match bad requests to nginx
-  * **nginx-http-auth.conf**: filter for authorisation failures password mismatch, etc.
+  * **nginx-botsearch.conf**: filter to match web requests for selected URLs that don't exist
+The following have been added by ourselves:
+  * **nginx-x00.conf**: filter to detect improper x00 character requests.
+  * **www-login-fail.conf**: filter to detect failed login attempts on our website.
+The following default is not used, because we have no basic auth enables in Nginx
+  * **nginx-http-auth.conf**: filter for http basic authentication failures
   * **nginx-limit-req.conf**: filter to ban hosts, that fail through nginx by limit request processing rate
-The following additional can be added:
-  * **nginx-no-script.conf**: Jail to deny any requests that attempt to request for types such as .exe .php etc.
+==== /etc/fail2ban/jail.local ====
-  * **nginx-x00.conf**: To block potentially malicious x03\x00 requests.
-  * **nginx-proxy.conf**: Block IPs trying to use server as proxy.
-  * **nginx-dos.conf**: Block IPs trying to ddos the server.
-  * **nginx-4xx**: Get rid of those 404 attempts in daily access logs.
-==== nginx-noscript.conf ====
-Add the following jail section to /etc/fail2ban/jail.local:
 <code>
-[nginx-noscript]
+#
+# HTTP servers
+#
+[nginx-botsearch]
+enabled = true
+port     = http,https
+logpath = /var/log/nginx/access.*.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+[nginx-bad-request]
+enabled = true
+port    = http,https
+logpath = /var/log/nginx/access.*.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+[nginx-x00]
 enabled   = true
 port      = http,https
-filter    = nginx-noscript
+logpath = /var/log/nginx/access.*.log
-logpath   = /var/lib/docker/containers/*/*-json.log
+findtime  = 900
-</code>
+maxretry = 2
-Add the following filter file **/etc/fail2ban/filter.d/nginx-noscript.conf**
+banaction = nftables-subnet[type=multiport]
-<code>
-#
+[www-login-fail]
-# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
+enabled = true
+port = http,https
+logpath = /var/log/nginx/error.www.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
+# normal (default), aggressive (combines all), auth or fallback
+# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
+[nginx-http-auth]
+# mode = normal
+port    = http,https
+logpath = %(nginx_error_log)s
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
 #
-# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
+# Web Applications
 #
-# Matches e.g.
-# 192.168.1.1 - - "GET /something.php
 #
+[nextcloud]
+enabled = true
+#port = 80,443
+port    = http,https
+#protocol = tcp
+logpath = /var/www/nextcloud/data/nextcloud.log
+bantime = 86400
+findtime = 3600
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+</code>
+==== /etc/fail2ban/filter.d/nginx-bad-request.conf ====
+<code>
 [Definition]
+# The request often doesn't contain a method, only some encoded garbage
+# This will also match requests that are entirely empty
+failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
-failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
-ignoreregex =
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 </code>
+==== /etc/fail2ban/filter.d/nginx-x00.conf ====
+<code>
+[Definition]
-==== nginx-x00.conf ====
+# Blocking repeated 404|444|403|400
-To block potentially malicious x03\x00 requests. Like:
+# This will also match requests that are entirely empty
-.72.83.87 - - _ [28/Dec/2018:14:13:14 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 150 "-" "-"
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
-Add the following jail section to /etc/fail2ban/jail.local:
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+</code>
+==== /etc/fail2ban/filter.d/nginx-botsearch.conf ====
 <code>
-[nginx-x00]
+INCLUDES]
-enabled   = true
+# Load regexes for filtering
-port      = http,https
+before = botsearch-common.conf
-filter    = nginx-x00
-logpath   = /var/lib/docker/containers/*/*-json.log
+[Definition]
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
+            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
+ignoreregex =
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 </code>
-Add the following filter file **/etc/fail2ban/filter.d/nginx-x00.conf**
+==== /etc/fail2ban/filter.d/www-login-fail.conf ====
 <code>
-Filename: /etc/fail2ban/filter.d/filter.d/nginx-x00.conf
+[INCLUDES]
+# Load regexes for filtering
+before =
 [Definition]
-failregex = ^{"log":"<HOST> .* .*\\x.*$
+failregex = ^.+Login\sattempt\suser.+incorrect\spassword.+client:\s<HOST>.+,\sserver.+$
+            ^.+Login\sattempt\sip\[<HOST>\].+$
 ignoreregex =
-</code>
-==== nginx-proxy.conf ====
+datepattern =
-Block IPs trying to use server as proxy.
-Add the following jail section to /etc/fail2ban/jail.local:
-<code>
-[nginx-proxy]
-enabled = true
-action = iptables-multiport[name=NoProxy, port="http,https"]
-filter = nginx-proxy
-logpath = /var/log/nginx*/*access*.log
-maxretry = 0
-bantime  = 86400 # 1 day
 </code>
-Add the following filter file **/etc/fail2ban/filter.d/nginx-proxy.conf**
+==== /etc/fail2ban/filter.d/nextcloud.conf ====
 <code>
-# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
-#
-# Block IPs trying to use server as proxy.
-#
-# Matches e.g.
-# 192.168.1.1 - - "GET http://www.something.com/
-#
 [Definition]
-failregex = ^<HOST> -.*GET http.*
+failregex=^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
+          ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
 ignoreregex =
 </code>
-==== nginx-dos.conf ====
-Block IPs trying to ddos the server.
+===== MAIL =====
-Add the following jail section to /etc/fail2ban/jail.local:
+==== /lib/systemd/system/fail2ban.service ====
+Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
 <code>
-[nginx-dos]
+# nano /lib/systemd/system/fail2ban.service
-enabled  = true
+-------------------------------------------
-port     = http
+[Unit]
-filter   = nginx-dos
+...
-logpath  = /var/log/nginx/*access*.log
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
-findtime = 120
-maxretry = 200
 </code>
-Add the following filter file **/etc/fail2ban/filter.d/nginx-dos.conf**
+==== Config ====
+We enables the following 3 default Debian fail2ban installation jails for our mail server:
+  * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server
+  * **postfix.conf**: filter for selected Postfix SMTP rejections
+  * **postfix-sasl.conf**: filter for selected Postfix Authentication failures
+==== /etc/fail2ban/jail.local ====
 <code>
+[sshd]
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+enabled = true
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+#backend = %(sshd_backend)s
+backend = systemd
 #
-# Ddos filter /etc/fail2ban/filter.d/nginx-dos.conf:
+# Mail servers
 #
-# Block IPs trying to ddos the server.
+[postfix]
-#
+# To use another modes set filter parameter "mode" in jail.local:
-#
+enabled = true
-[Definition]
+mode    = more
+port    = smtp,465,submission
+bantime  = 28800
+findtime = 14400
+maxretry = 3
+#logpath = %(postfix_log)s
+logpath = /var/log/postfix.log
+backend = %(postfix_backend)s
-failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"
+[postfix-rbl]
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
-ignoreregex =
+[postfix-sasl]
-</code>
+enabled  = true
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+bantime  = 604800
+findtime = 43200
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+#logpath  = %(postfix_log)s
+logpath  = /var/log/postfix.log
+backend  = %(postfix_backend)s
-==== nginx-4xx ====
+[sendmail-auth]
-Get rid of those 404 attempts in my daily logs.
+port    = submission,465,smtp
-Add the following jail section to /etc/fail2ban/jail.local:
+logpath = %(syslog_mail)s
-<code>
+backend = %(syslog_backend)s
-[nginx-4xx]
-enabled = true
-port = http,https
-logpath = /var/log/nginx/access.log
-maxretry = 3
-</code>
-Add the following filter file **/etc/fail2ban/filter.d/nginx-4xx.conf**
-<code>
-[Definition]
-failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
-ignoreregex =
-</code>
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+enabled  = true
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+bantime  = 14400
+findtime = 43200
+maxretry = 2
+#logpath = %(dovecot_log)s
+logpath = /var/log/dovecot.log
+backend = %(dovecot_backend)s
+[sieve]
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+[mysqld-auth]
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+</code>
 ===== Links =====