HomeWiki

User Tools

Site Tools

Trace: bluetooth tips nftables ssl-own-ca unlock-bootloader routing remove-old-kernels
linux:apps:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:apps:fail2ban [2023/09/06 14:37] – [/etc/fail2ban/filter.d/www-login-fail.conf] oscarlinux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
Line 276: Line 276:
  
 ===== Actions ===== ===== Actions =====
-This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**. +This file is responsible for setting up the firewall with a structure that allows easy modifications for banning malicious hosts, and for adding and removing those hosts as necessary. It is located in the following directory: **/etc/fail2ban/action.d**. E.g. the action that our SSH service invokes is called nftables-multiport.
-E.g. the action that our SSH service invokes is called iptables-multiport. Open the associated file now: +
-  sudo nano /etc/fail2ban/action.d/iptables-multiport.conf +
-With the comments removed, this file looks something like this: +
-<code> +
-[INCLUDES] +
-before = iptables-blocktype.conf +
- +
-[Definition] +
-actionstart = iptables -N fail2ban-<name> +
-              iptables -A fail2ban-<name> -j RETURN +
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +
- +
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +
- +
-actioncheck = iptables -n -L <chain> | grep -a 'fail2ban-<name>[ \t]' +
- +
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> +
- +
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> +
- +
-[Init] +
-name = default +
-port = ssh +
-protocol = tcp +
-chain = INPUT +
-</code> +
 ==== Ban IP Range (subnet) ==== ==== Ban IP Range (subnet) ====
 In some cases spammers have several systems infected in a specific subnet. By using different alternating IP nummers in this subnet, they can avoid Fail2Ban detection. In these cases it could be helpful to block a whole subnet range at once.  In some cases spammers have several systems infected in a specific subnet. By using different alternating IP nummers in this subnet, they can avoid Fail2Ban detection. In these cases it could be helpful to block a whole subnet range at once. 
Line 532: Line 505:
 [Definition] [Definition]
  
-failregex = ^{"log":"<HOST> .* .*\\x.*$+# Blocking repeated 404|444|403|400 
 +# This will also match requests that are entirely empty 
 +failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
  
-ignoreregex =+datepattern {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? 
 +              ^[^\[]*\[({DATE}) 
 +              {^LN-BEG} 
 + 
 +journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
  
 </code> </code>
Line 578: Line 557:
 ignoreregex = ignoreregex =
  
 +</code>
  
 +===== MAIL =====
 +==== /lib/systemd/system/fail2ban.service ====
 +Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
 +<code>
 +# nano /lib/systemd/system/fail2ban.service
 +-------------------------------------------
 +[Unit]
 +...
 +After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
 </code> </code>
 +
 +==== Config ====
 +We enables the following 3 default Debian fail2ban installation jails for our mail server:
 +  * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server
 +  * **postfix.conf**: filter for selected Postfix SMTP rejections 
 +  * **postfix-sasl.conf**: filter for selected Postfix Authentication failures
 +==== /etc/fail2ban/jail.local ====
 +<code>
 +[sshd]
 +
 +# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 +# normal (default), ddos, extra or aggressive (combines all).
 +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 +enabled = true
 +#mode   = normal
 +port    = ssh
 +logpath = %(sshd_log)s
 +#backend = %(sshd_backend)s
 +backend = systemd
 +
 +#
 +# Mail servers
 +#
 +[postfix]
 +# To use another modes set filter parameter "mode" in jail.local:
 +enabled = true
 +mode    = more
 +port    = smtp,465,submission
 +bantime  = 28800
 +findtime = 14400
 +maxretry = 3
 +#logpath = %(postfix_log)s
 +logpath = /var/log/postfix.log
 +backend = %(postfix_backend)s
 +
 +[postfix-rbl]
 +filter   = postfix[mode=rbl]
 +port     = smtp,465,submission
 +logpath  = %(postfix_log)s
 +backend  = %(postfix_backend)s
 +maxretry = 1
 +
 +[postfix-sasl]
 +enabled  = true
 +filter   = postfix[mode=auth]
 +port     = smtp,465,submission,imap,imaps,pop3,pop3s
 +bantime  = 604800
 +findtime = 43200
 +maxretry = 2
 +banaction = nftables-subnet[type=multiport]
 +# You might consider monitoring /var/log/mail.warn instead if you are
 +# running postfix since it would provide the same log lines at the
 +# "warn" level but overall at the smaller filesize.
 +#logpath  = %(postfix_log)s
 +logpath  = /var/log/postfix.log
 +backend  = %(postfix_backend)s
 +
 +[sendmail-auth]
 +port    = submission,465,smtp
 +logpath = %(syslog_mail)s
 +backend = %(syslog_backend)s
 +
 +[sendmail-reject]
 +# To use more aggressive modes set filter parameter "mode" in jail.local:
 +# normal (default), extra or aggressive
 +# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
 +#mode    = normal
 +port     = smtp,465,submission
 +logpath  = %(syslog_mail)s
 +backend  = %(syslog_backend)s
 +
 +
 +# dovecot defaults to logging to the mail syslog facility
 +# but can be set by syslog_facility in the dovecot configuration.
 +[dovecot]
 +enabled  = true
 +port    = pop3,pop3s,imap,imaps,submission,465,sieve
 +bantime  = 14400
 +findtime = 43200
 +maxretry = 2
 +#logpath = %(dovecot_log)s
 +logpath = /var/log/dovecot.log
 +backend = %(dovecot_backend)s
 +
 +
 +[sieve]
 +port   = smtp,465,submission
 +logpath = %(dovecot_log)s
 +backend = %(dovecot_backend)s
 +
 +[mysqld-auth]
 +port     = 3306
 +logpath  = %(mysql_log)s
 +backend  = %(mysql_backend)s
 +
 +# Generic filter for PAM. Has to be used with action which bans all
 +# ports such as iptables-allports, shorewall
 +[pam-generic]
 +# pam-generic filter can be customized to monitor specific subset of 'tty's
 +banaction = %(banaction_allports)s
 +logpath  = %(syslog_authpriv)s
 +backend  = %(syslog_backend)s
 +
 +
 +</code>
 +
 ===== Links ===== ===== Links =====
   * [[https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server|How Fail2Ban Works]]   * [[https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server|How Fail2Ban Works]]
   * [[https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04|How To Protect an Nginx Server with Fail2Ban]]   * [[https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04|How To Protect an Nginx Server with Fail2Ban]]
  
linux/apps/fail2ban.1694011024.txt.gz · Last modified: by oscar