Difference between revisions of "Fail2Ban"
From wiki
(Created page with "<syntaxhighlight lang="console"> # apt install fail2ban </syntaxhighlight> Category:Install") |
(add amd64 instructions) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{Debian}} | ||
| + | Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server. | ||
| + | |||
| + | == Prerequisite == | ||
| + | This guide will configure Fail2Ban to work with [[nftables]]. | ||
| + | |||
| + | == Installation == | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| − | # apt install fail2ban | + | # apt install fail2ban iptables- |
| + | </syntaxhighlight>'''Note:''' Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you [[Apt#sources.list|configure stretch source]] before running the command bellow. | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # apt install fail2ban/stretch iptables- | ||
| + | </syntaxhighlight>'''Note2:''' On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables<syntaxhighlight lang="console"> | ||
| + | # apt install fail2ban iptables- iptables:i386- | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Configuration == | ||
| + | |||
| + | After you change configuration, or add a new jail, don't forget to restart fail2ban | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # service fail2ban restart | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === nftables === | ||
| + | nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 <code>nftables-*</code> files from [https://github.com/fail2ban/fail2ban/tree/master/config/action.d the official repository] and add them to <code>/etc/fail2ban/action.d</code>. | ||
| + | |||
| + | ==== Create table ==== | ||
| + | Create file <code>/etc/nftables/fail2ban.conf</code><syntaxhighlight lang="ini"> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | # Use ip as fail2ban doesn't support ipv6 yet | ||
| + | table ip fail2ban { | ||
| + | chain input { | ||
| + | # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation | ||
| + | type filter hook input priority 100; | ||
| + | } | ||
| + | } | ||
| + | </syntaxhighlight> | ||
| + | Then add line <code>include "/etc/nftables/fail2ban.conf"</code> in <code>/etc/nftables.conf</code>. | ||
| + | |||
| + | Finally activate your rule in nftables | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # nft -f /etc/nftables/fail2ban.conf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==== Set table in Fail2Ban ==== | ||
| + | Create file <code>/etc/fail2ban/action.d/nftables-common.local</code><syntaxhighlight lang="ini"> | ||
| + | [Init] | ||
| + | # Definition of the table used | ||
| + | nftables_family = ip | ||
| + | nftables_table = fail2ban | ||
| + | |||
| + | # Drop packets | ||
| + | blocktype = drop | ||
| + | |||
| + | # Remove nftables prefix. Set names are limited to 15 char so we want them all | ||
| + | nftables_set_prefix = | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === Defaults === | ||
| + | Create file <code>/etc/fail2ban/jail.local</code> | ||
| + | <syntaxhighlight lang="ini"> | ||
| + | [DEFAULT] | ||
| + | # Destination email for action that send you an email | ||
| + | destemail = fail2ban@mydomain.example | ||
| + | |||
| + | # Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this | ||
| + | sender = fail2ban@mydomain.example | ||
| + | |||
| + | # Default action. Will block user and send you an email with whois content and log lines. | ||
| + | action = %(action_mwl)s | ||
| + | |||
| + | # configure nftables | ||
| + | banaction = nftables-multiport | ||
| + | chain = input | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === Recidive === | ||
| + | The recidive rule ban users for a longer period if they have been banned multiple time in a row. | ||
| + | |||
| + | Create file <code>/etc/fail2ban/jail.d/recidive.conf</code> | ||
| + | <syntaxhighlight lang="ini"> | ||
| + | # Jail for more extended banning of persistent abusers | ||
| + | # !!! WARNINGS !!! | ||
| + | # 1. Make sure that your loglevel specified in fail2ban.conf/.local | ||
| + | # is not at DEBUG level -- which might then cause fail2ban to fall into | ||
| + | # an infinite loop constantly feeding itself with non-informative lines | ||
| + | # 2. If you increase bantime, you must increase value of dbpurgeage | ||
| + | # to maintain entries for failed logins for sufficient amount of time. | ||
| + | # The default is defined in fail2ban.conf and you can override it in fail2ban.local | ||
| + | [recidive] | ||
| + | enabled = true | ||
| + | logpath = /var/log/fail2ban.log | ||
| + | banaction = nftables-allports | ||
| + | bantime = 86400 ; 1 day | ||
| + | findtime = 86400 ; 1 day | ||
| + | maxretry = 3 | ||
| + | protocol = 0-255 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | [[Category: | + | |
| + | === Other rules === | ||
| + | Rules specific to one program are documented on the program page. You can see the list on the [[:Category:Fail2Ban|fail2ban category page]]. | ||
| + | [[Category:Linux Server]] | ||
| + | [[Category:Fail2Ban]] | ||
| + | [[Category:Debian Release]] | ||
Latest revision as of 10:41, 25 October 2016
 Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
Prerequisite
This guide will configure Fail2Ban to work with nftables.
Installation
# apt install fail2ban iptables-
Note: Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.
# apt install fail2ban/stretch iptables-
Note2: On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables
# apt install fail2ban iptables- iptables:i386-
Configuration
After you change configuration, or add a new jail, don't forget to restart fail2ban
# service fail2ban restart
nftables
nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 nftables-* files from the official repository and add them to /etc/fail2ban/action.d.
Create table
Create file /etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
chain input {
# Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
type filter hook input priority 100;
}
}
Then add line include "/etc/nftables/fail2ban.conf" in /etc/nftables.conf.
Finally activate your rule in nftables
# nft -f /etc/nftables/fail2ban.conf
Set table in Fail2Ban
Create file /etc/fail2ban/action.d/nftables-common.local
[Init]
# Definition of the table used
nftables_family = ip
nftables_table = fail2ban
# Drop packets
blocktype = drop
# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =
Defaults
Create file /etc/fail2ban/jail.local
[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@mydomain.example
# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = fail2ban@mydomain.example
# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s
# configure nftables
banaction = nftables-multiport
chain = input
Recidive
The recidive rule ban users for a longer period if they have been banned multiple time in a row.
Create file /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
# to maintain entries for failed logins for sufficient amount of time.
# The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = nftables-allports
bantime = 86400 ; 1 day
findtime = 86400 ; 1 day
maxretry = 3
protocol = 0-255
Other rules
Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.
