Differences

This shows you the differences between two versions of the page.

--- linux:apps:fail2ban [2023/09/06 14:09] – [/etc/fail2ban/jail.local] oscar
+++ linux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
@@ Line 276: / Line 276: @@
 ===== Actions =====
-This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**.
+This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**. E.g. the action that our SSH service invokes is called nftables-multiport.
-E.g. the action that our SSH service invokes is called iptables-multiport. Open the associated file now:
-  sudo nano /etc/fail2ban/action.d/iptables-multiport.conf
-With the comments removed, this file looks something like this:
-<code>
-[INCLUDES]
-before = iptables-blocktype.conf
-[Definition]
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-actioncheck = iptables -n -L <chain> | grep -a 'fail2ban-<name>[ \t]'
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
-[Init]
-name = default
-port = ssh
-protocol = tcp
-chain = INPUT
-</code>
 ==== Ban IP Range (subnet) ====
 In some cases spammers have several systems infected in a specific subnet. By using different alternating IP nummers in this subnet, they can avoid Fail2Ban detection. In these cases it could be helpful to block a whole subnet range at once.
@@ Line 441: / Line 414: @@
   * **nginx-botsearch.conf**: filter to match web requests for selected URLs that don't exist
 The following have been added by ourselves:
+  * **nginx-x00.conf**: filter to detect improper x00 character requests.
   * **www-login-fail.conf**: filter to detect failed login attempts on our website.
 The following default is not used, because we have no basic auth enables in Nginx
@@ Line 498: / Line 472: @@
 port    = http,https
 logpath = %(nginx_error_log)s
-</code>
+#
+# Web Applications
+#
+#
+[nextcloud]
+enabled = true
+#port = 80,443
+port    = http,https
+#protocol = tcp
+logpath = /var/www/nextcloud/data/nextcloud.log
+bantime = 86400
+findtime = 3600
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+</code>
 ==== /etc/fail2ban/filter.d/nginx-bad-request.conf ====
 <code>
@@ Line 513: / Line 501: @@
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 </code>
+==== /etc/fail2ban/filter.d/nginx-x00.conf ====
+<code>
+[Definition]
+# Blocking repeated 404|444|403|400
+# This will also match requests that are entirely empty
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+</code>
 ==== /etc/fail2ban/filter.d/nginx-botsearch.conf ====
 <code>
@@ Line 546: / Line 550: @@
 datepattern =
 </code>
+==== /etc/fail2ban/filter.d/nextcloud.conf ====
+<code>
+[Definition]
+failregex=^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
+          ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
+ignoreregex =
+</code>
+===== MAIL =====
+==== /lib/systemd/system/fail2ban.service ====
+Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
+<code>
+# nano /lib/systemd/system/fail2ban.service
+-------------------------------------------
+[Unit]
+...
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
+</code>
+==== Config ====
+We enables the following 3 default Debian fail2ban installation jails for our mail server:
+  * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server
+  * **postfix.conf**: filter for selected Postfix SMTP rejections
+  * **postfix-sasl.conf**: filter for selected Postfix Authentication failures
+==== /etc/fail2ban/jail.local ====
+<code>
+[sshd]
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+enabled = true
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+#backend = %(sshd_backend)s
+backend = systemd
+#
+# Mail servers
+#
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+enabled = true
+mode    = more
+port    = smtp,465,submission
+bantime  = 28800
+findtime = 14400
+maxretry = 3
+#logpath = %(postfix_log)s
+logpath = /var/log/postfix.log
+backend = %(postfix_backend)s
+[postfix-rbl]
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+[postfix-sasl]
+enabled  = true
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+bantime  = 604800
+findtime = 43200
+maxretry = 2
+banaction = nftables-subnet[type=multiport]
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+#logpath  = %(postfix_log)s
+logpath  = /var/log/postfix.log
+backend  = %(postfix_backend)s
+[sendmail-auth]
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+enabled  = true
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+bantime  = 14400
+findtime = 43200
+maxretry = 2
+#logpath = %(dovecot_log)s
+logpath = /var/log/dovecot.log
+backend = %(dovecot_backend)s
+[sieve]
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+[mysqld-auth]
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+</code>
 ===== Links =====