Differences

This shows you the differences between two versions of the page.

--- linux:apps:fail2ban [2023/09/05 18:46] – oscar
+++ linux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
@@ Line 276: / Line 276: @@
 ===== Actions =====
-This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**.
+This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**. E.g. the action that our SSH service invokes is called nftables-multiport.
-E.g. the action that our SSH service invokes is called iptables-multiport. Open the associated file now:
-  sudo nano /etc/fail2ban/action.d/iptables-multiport.conf
-With the comments removed, this file looks something like this:
-<code>
-[INCLUDES]
-before = iptables-blocktype.conf
-[Definition]
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actioncheck = iptables -n -L <chain> | grep -a 'fail2ban-<name>[ \t]'
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
-[Init]
-name = default
-port = ssh
-protocol = tcp
-chain = INPUT
-</code>
 ==== Ban IP Range (subnet) ====
 In some cases spammers have several systems infected in a specific subnet. By using different alternating IP nummers in this subnet, they can avoid Fail2Ban detection. In these cases it could be helpful to block a whole subnet range at once.
@@ Line 436: / Line 409: @@
 </code>
+===== NGINX =====
+We enables the following 2 default Debian fail2ban installation jails for Nginx:
+  * **nginx-bad-request.conf**: filter to match bad requests to nginx
+  * **nginx-botsearch.conf**: filter to match web requests for selected URLs that don't exist
+The following have been added by ourselves:
+  * **nginx-x00.conf**: filter to detect improper x00 character requests.
+  * **www-login-fail.conf**: filter to detect failed login attempts on our website.
+The following default is not used, because we have no basic auth enables in Nginx
+  * **nginx-http-auth.conf**: filter for http basic authentication failures
+  * **nginx-limit-req.conf**: filter to ban hosts, that fail through nginx by limit request processing rate
+==== /etc/fail2ban/jail.local ====
+<code>
+#
+# HTTP servers
+#
+[nginx-botsearch]
+enabled = true
+port     = http,https
+logpath = /var/log/nginx/access.*.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+[nginx-bad-request]
+enabled = true
+port    = http,https
+logpath = /var/log/nginx/access.*.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+[nginx-x00]
+enabled   = true
+port      = http,https
+logpath = /var/log/nginx/access.*.log
+findtime  = 900
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+[www-login-fail]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/error.www.log
+findtime  = 900
+maxretry = 3
+banaction = nftables-subnet[type=multiport]
+# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
+# normal (default), aggressive (combines all), auth or fallback
+# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
+[nginx-http-auth]
+# mode = normal
+port    = http,https
+logpath = %(nginx_error_log)s
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
+#
+# Web Applications
+#
+#
+[nextcloud]
+enabled = true
+#port = 80,443
+port    = http,https
+#protocol = tcp
+logpath = /var/www/nextcloud/data/nextcloud.log
+bantime = 86400
+findtime = 3600
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+</code>
+==== /etc/fail2ban/filter.d/nginx-bad-request.conf ====
+<code>
+[Definition]
+# The request often doesn't contain a method, only some encoded garbage
+# This will also match requests that are entirely empty
+failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+</code>
+==== /etc/fail2ban/filter.d/nginx-x00.conf ====
+<code>
+[Definition]
+# Blocking repeated 404|444|403|400
+# This will also match requests that are entirely empty
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+</code>
+==== /etc/fail2ban/filter.d/nginx-botsearch.conf ====
+<code>
+INCLUDES]
+# Load regexes for filtering
+before = botsearch-common.conf
+[Definition]
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
+            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
+ignoreregex =
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+</code>
+==== /etc/fail2ban/filter.d/www-login-fail.conf ====
+<code>
+[INCLUDES]
+# Load regexes for filtering
+before =
+[Definition]
+failregex = ^.+Login\sattempt\suser.+incorrect\spassword.+client:\s<HOST>.+,\sserver.+$
+            ^.+Login\sattempt\sip\[<HOST>\].+$
+ignoreregex =
+datepattern =
+</code>
+==== /etc/fail2ban/filter.d/nextcloud.conf ====
+<code>
+[Definition]
+failregex=^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
+          ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
+ignoreregex =
+</code>
+===== MAIL =====
+==== /lib/systemd/system/fail2ban.service ====
+Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
+<code>
+# nano /lib/systemd/system/fail2ban.service
+-------------------------------------------
+[Unit]
+...
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
+</code>
+==== Config ====
+We enables the following 3 default Debian fail2ban installation jails for our mail server:
+  * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server
+  * **postfix.conf**: filter for selected Postfix SMTP rejections
+  * **postfix-sasl.conf**: filter for selected Postfix Authentication failures
+==== /etc/fail2ban/jail.local ====
+<code>
+[sshd]
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+enabled = true
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+#backend = %(sshd_backend)s
+backend = systemd
+#
+# Mail servers
+#
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+enabled = true
+mode    = more
+port    = smtp,465,submission
+bantime  = 28800
+findtime = 14400
+maxretry = 3
+#logpath = %(postfix_log)s
+logpath = /var/log/postfix.log
+backend = %(postfix_backend)s
+[postfix-rbl]
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+[postfix-sasl]
+enabled  = true
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+bantime  = 604800
+findtime = 43200
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+#logpath  = %(postfix_log)s
+logpath  = /var/log/postfix.log
+backend  = %(postfix_backend)s
+[sendmail-auth]
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+enabled  = true
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+bantime  = 14400
+findtime = 43200
+maxretry = 2
+#logpath = %(dovecot_log)s
+logpath = /var/log/dovecot.log
+backend = %(dovecot_backend)s
+[sieve]
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+[mysqld-auth]
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+</code>
 ===== Links =====