Difference between revisions of "Fail2ban"

(Restart | check fail2ban)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
+
[[Category:Linux]]
  
 
=Installation=
 
=Installation=
Line 9: Line 9:
  
  
=Set default configuration=
+
=Fail2ban Configuration=
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/fail2ban.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
You can:
 +
* Adjust the log file - default is: /var/log/fail2ban.log
 +
* Adjust the log level
 +
 
 +
 
 +
==Restart | check fail2ban==
 +
 
 +
Fail2ban is registered as a service by default.
 +
 
 +
<syntaxhighlight lang="bash">
 +
service fail2ban restart
 +
</syntaxhighlight>
 +
 
  
Edit the configuration file
+
You can check the log in the dedicated log file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/fail2ban/jail.conf
+
cat /var/log/fail2ban.log
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
=Ban rules=
 +
 +
Edit the ban configuration rule:
  
Enable and adjust (~ line 24, ~ line 120):
+
<syntaxhighlight lang="bash">
* Bantime
+
vim /etc/fail2ban/jail.conf
* SSH port
+
</syntaxhighlight>
* SSH-DDOS
 
  
 +
==Default (generic) properties==
  
 
<syntaxhighlight lang="bash">  
 
<syntaxhighlight lang="bash">  
 
[DEFAULT]
 
[DEFAULT]
ignoreip = 127.0.0.1/8
+
ignoreip = 127.0.0.1/8 172.16.50.0/24
 
...
 
...
 
# "bantime" is the number of seconds that a host is banned.
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 3600
+
# default 600s ; 86400 = 24h
 +
bantime  = 86400
 +
 
 +
# Increase max attempt time 'cause lots of scanner are using the default time + 1s.
 +
# default 600
 +
findtime=3600
 +
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
* In "ignoreip" add your LAN + VPN networks
 +
 +
* Adjust "bantime" and "findtime"
  
  
=SSH configuration=
+
==SSH configuration==
  
 +
Enable and adjust:
 +
* SSH
 +
* SSH-DDOS
 +
* SSh-Route
 +
* SSH-iptables-*
  
 
<syntaxhighlight lang="bash">  
 
<syntaxhighlight lang="bash">  
 
[ssh]
 
[ssh]
 
enabled  = true
 
enabled  = true
#port    = ssh
+
port    = ssh,2200
port    = 2200
 
 
filter  = sshd
 
filter  = sshd
 
logpath  = /var/log/auth.log
 
logpath  = /var/log/auth.log
Line 50: Line 85:
  
 
[ssh-ddos]
 
[ssh-ddos]
enabled  = false
+
 
#port    = ssh
+
enabled  = true
port    = 2200
+
port    = ssh,2200
 
filter  = sshd-ddos
 
filter  = sshd-ddos
 
logpath  = /var/log/auth.log
 
logpath  = /var/log/auth.log
 +
maxretry = 4
 +
 +
 +
# Here we use blackhole routes for not requiring any additional kernel support
 +
# to store large volumes of banned IPs
 +
 +
[ssh-route]
 +
 +
enabled = true
 +
filter = sshd
 +
action = route
 +
#logpath = /var/log/sshd.log
 +
logpath  = /var/log/auth.log
 +
maxretry = 4
 +
 +
 +
# Here we use a combination of Netfilter/Iptables and IPsets
 +
# for storing large volumes of banned IPs
 +
#
 +
# IPset comes in two versions. See ipset -V for which one to use
 +
# requires the ipset package and kernel support.
 +
 +
[ssh-iptables-ipset4]
 +
 +
enabled  = true
 +
port    = ssh,2200
 +
filter  = sshd
 +
banaction = iptables-ipset-proto4
 +
#logpath  = /var/log/sshd.log
 +
logpath  = /var/log/auth.log
 +
maxretry = 4
 +
 +
[ssh-iptables-ipset6]
 +
 +
enabled  = true
 +
port    = ssh,2200
 +
filter  = sshd
 +
banaction = iptables-ipset-proto6
 +
#logpath  = /var/log/sshd.log
 +
logpath  = /var/log/auth.log
 +
maxretry = 4
 +
 +
</syntaxhighlight>
 +
 +
 +
- Note -
 +
 +
* You can use multi-port filtering with port=X,Y
 +
 +
* For IpTables rules you have to adjust the logpath
 +
 +
 +
==Apache2 Virtual Host==
 +
 +
To secure your virtual hosts, you can duplicate some rules using the same filter:
 +
* New rule name in '''"[" myRuleName "]"'''
 +
* You just need to adjust the '''logpath'''
 +
 +
 +
<syntaxhighlight lang="bash">
 +
 +
[apache-default]
 +
enabled  = true
 +
port    = http,https
 +
filter  = apache-auth
 +
logpath  = /var/log/apache*/*error.log
 +
maxretry = 6
 +
 +
[apache-daxiongmao]
 +
enabled  = true
 +
port    = http,https
 +
filter  = apache-auth
 +
logpath  = /var/log/apache/daxiongmao*/*error.log
 
maxretry = 6
 
maxretry = 6
 +
 +
</syntaxhighlight>
 +
 +
 +
 +
 +
 +
 +
=VPN rule=
 +
 +
It's a good idea to protect your server against brute force attacks and intruders.
 +
 +
 +
==Create new VPN rule==
 +
 +
Create a new rule in Fail2Ban:
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/filter.d/openvpn.conf
 +
</syntaxhighlight>
 +
 +
 +
Add:
 +
 +
<syntaxhighlight lang="bash">
 +
[Definition]
 +
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
 +
    [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
 +
    [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
 +
</syntaxhighlight>
 +
 +
 +
==Apply VPN rule==
 +
 +
Edit Fail2Ban main configuration:
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/jail.conf
 +
</syntaxhighlight>
 +
 +
 +
At the end of the file, add:
 +
 +
<syntaxhighlight lang="bash">
 +
[openvpn]
 +
enabled = true
 +
port = 8080
 +
protocol = udp
 +
filter = openvpn
 +
logpath = /etc/openvpn/openvpn.log
 +
maxretry = 3
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
 +
 +
 +
 +
=Custom filters and rules=
 +
 +
You can create your own custom filters and rules that use them.
 +
 +
 +
==Create filter==
 +
 +
Create new .conf file like that
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/filter.d/myFilter.conf
 +
</syntaxhighlight>
 +
 +
 +
<syntaxhighlight lang="bash">
 +
# My filter
 +
# Blocks IPs that …
 +
[Definition]
 +
 +
failregex = regex expression
 +
ignoreregex =
 +
</syntaxhighlight>
 +
 +
 +
The key point is the '''filter regex'''.
 +
 +
 +
 +
==Test your filter==
 +
 +
You have to test your new filter against a log file with "fail2ban-regex":
 +
 +
<syntaxhighlight lang="bash">
 +
# fail2ban-regex <log file> <filter configuration>
 +
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/auth-login.conf
 +
</syntaxhighlight>
 +
 +
 +
==Create rule(s) for the new filter==
 +
 +
Now you have to update your rules to use that new filter:
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/fail2ban/jail.conf
 +
</syntaxhighlight>
 +
 +
 +
<syntaxhighlight lang="bash">
 +
[myFilter-apache]
 +
enabled  = true
 +
port    = http,https
 +
filter  = myFilter
 +
logpath  = /var/log/apache*/*access*.log
 +
maxretry = 6
 +
</syntaxhighlight>
 +
 +
 +
The '''filter''' attribute matches the file name without '.conf'.

Latest revision as of 21:26, 29 March 2019


Installation

apt-get install fail2ban


Fail2ban Configuration

vim /etc/fail2ban/fail2ban.conf


You can:

  • Adjust the log file - default is: /var/log/fail2ban.log
  • Adjust the log level


Restart | check fail2ban

Fail2ban is registered as a service by default.

service fail2ban restart


You can check the log in the dedicated log file:

cat /var/log/fail2ban.log

Ban rules

Edit the ban configuration rule:

vim /etc/fail2ban/jail.conf

Default (generic) properties

 
[DEFAULT]
ignoreip = 127.0.0.1/8 172.16.50.0/24
...
# "bantime" is the number of seconds that a host is banned.
# default 600s ; 86400 = 24h
bantime  = 86400

# Increase max attempt time 'cause lots of scanner are using the default time + 1s.
# default 600
findtime=3600


  • In "ignoreip" add your LAN + VPN networks
  • Adjust "bantime" and "findtime"


SSH configuration

Enable and adjust:

  • SSH
  • SSH-DDOS
  • SSh-Route
  • SSH-iptables-*
 
[ssh]
enabled  = true
port     = ssh,2200
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

...

[ssh-ddos]

enabled  = true
port     = ssh,2200
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 4


# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs

[ssh-route]

enabled = true
filter = sshd
action = route
#logpath = /var/log/sshd.log
logpath  = /var/log/auth.log
maxretry = 4


# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use 
# requires the ipset package and kernel support.

[ssh-iptables-ipset4]

enabled  = true
port     = ssh,2200
filter   = sshd
banaction = iptables-ipset-proto4
#logpath  = /var/log/sshd.log
logpath  = /var/log/auth.log
maxretry = 4

[ssh-iptables-ipset6]

enabled  = true
port     = ssh,2200
filter   = sshd
banaction = iptables-ipset-proto6
#logpath  = /var/log/sshd.log
logpath  = /var/log/auth.log
maxretry = 4


- Note -

  • You can use multi-port filtering with port=X,Y
  • For IpTables rules you have to adjust the logpath


Apache2 Virtual Host

To secure your virtual hosts, you can duplicate some rules using the same filter:

  • New rule name in "[" myRuleName "]"
  • You just need to adjust the logpath


 

[apache-default]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-daxiongmao]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache/daxiongmao*/*error.log
maxretry = 6




VPN rule

It's a good idea to protect your server against brute force attacks and intruders.


Create new VPN rule

Create a new rule in Fail2Ban:

vim /etc/fail2ban/filter.d/openvpn.conf


Add:

[Definition]
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*


Apply VPN rule

Edit Fail2Ban main configuration:

vim /etc/fail2ban/jail.conf


At the end of the file, add:

[openvpn]
enabled = true
port = 8080
protocol = udp
filter = openvpn
logpath = /etc/openvpn/openvpn.log
maxretry = 3



Custom filters and rules

You can create your own custom filters and rules that use them.


Create filter

Create new .conf file like that

 
vim /etc/fail2ban/filter.d/myFilter.conf


 
# My filter
# Blocks IPs that …
[Definition]
 
failregex = regex expression
ignoreregex =


The key point is the filter regex.


Test your filter

You have to test your new filter against a log file with "fail2ban-regex":

 
# fail2ban-regex <log file> <filter configuration>
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/auth-login.conf


Create rule(s) for the new filter

Now you have to update your rules to use that new filter:

 
vim /etc/fail2ban/jail.conf


 
[myFilter-apache]
enabled  = true
port     = http,https
filter   = myFilter
logpath  = /var/log/apache*/*access*.log
maxretry = 6


The filter attribute matches the file name without '.conf'.