Difference between revisions of "Fail2Ban"
(Switch to nftables) |
|||
Line 1: | Line 1: | ||
{{Debian}} | {{Debian}} | ||
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server. | Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server. | ||
+ | |||
+ | == Prerequisite == | ||
+ | This guide will configure Fail2Ban to work with [[nftables]]. | ||
== Installation == | == Installation == | ||
Line 13: | Line 16: | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
# service fail2ban restart | # service fail2ban restart | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === nftables === | ||
+ | nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 <code>nftables-*</code> files from [https://github.com/fail2ban/fail2ban/tree/master/config/action.d the official repository] and add them to <code>/etc/fail2ban/action.d</code>. | ||
+ | |||
+ | ==== Create table ==== | ||
+ | Create file <code>/etc/nftables/fail2ban.conf</code><syntaxhighlight lang="ini"> | ||
+ | #!/usr/sbin/nft -f | ||
+ | |||
+ | # Use ip as fail2ban doesn't support ipv6 yet | ||
+ | table ip fail2ban { | ||
+ | chain input { | ||
+ | # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation | ||
+ | type filter hook input priority 100; | ||
+ | } | ||
+ | } | ||
+ | </syntaxhighlight>Then add line <code>include "/etc/nftables/fail2ban.conf"</code> in <code>/etc/nftables.conf</code>. | ||
+ | |||
+ | Finally activate your rule in nftables<syntaxhighlight lang="console"> | ||
+ | # nft -f /etc/nftables/fail2ban.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==== Set table in Fail2Ban ==== | ||
+ | Create file <code>/etc/fail2ban/action.d/nftables-common.local</code><syntaxhighlight lang="ini"> | ||
+ | [Init] | ||
+ | # Definition of the table used | ||
+ | nftables_family = ip | ||
+ | nftables_table = fail2ban | ||
+ | |||
+ | # Drop packets | ||
+ | blocktype = drop | ||
+ | |||
+ | # Remove nftables prefix. Set names are limited to 15 char so we want them all | ||
+ | nftables_set_prefix = | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 27: | Line 64: | ||
# Default action. Will block user and send you an email with whois content and log lines. | # Default action. Will block user and send you an email with whois content and log lines. | ||
action = %(action_mwl)s | action = %(action_mwl)s | ||
+ | |||
+ | # configure nftables | ||
+ | banaction = nftables-multiport | ||
+ | chain = input | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 45: | Line 86: | ||
enabled = true | enabled = true | ||
logpath = /var/log/fail2ban.log | logpath = /var/log/fail2ban.log | ||
− | banaction = | + | banaction = nftables-allports |
bantime = 86400 ; 1 day | bantime = 86400 ; 1 day | ||
findtime = 86400 ; 1 day | findtime = 86400 ; 1 day | ||
maxretry = 3 | maxretry = 3 | ||
− | protocol = | + | protocol = 0-255 |
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 22:54, 27 March 2016
Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
Prerequisite
This guide will configure Fail2Ban to work with nftables.
Installation
Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.
# apt install fail2ban/stretch
Configuration
After you change configuration, or add a new jail, don't forget to restart fail2ban
# service fail2ban restart
nftables
nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 nftables-*
files from the official repository and add them to /etc/fail2ban/action.d
.
Create table
Create file /etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
chain input {
# Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
type filter hook input priority 100;
}
}
Then add line include "/etc/nftables/fail2ban.conf"
in /etc/nftables.conf
.
Finally activate your rule in nftables
# nft -f /etc/nftables/fail2ban.conf
Set table in Fail2Ban
Create file /etc/fail2ban/action.d/nftables-common.local
[Init]
# Definition of the table used
nftables_family = ip
nftables_table = fail2ban
# Drop packets
blocktype = drop
# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =
Defaults
Create file /etc/fail2ban/jail.local
[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@mydomain.example
# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = fail2ban@mydomain.example
# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s
# configure nftables
banaction = nftables-multiport
chain = input
Recidive
The recidive rule ban users for a longer period if they have been banned multiple time in a row.
Create file /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
# to maintain entries for failed logins for sufficient amount of time.
# The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = nftables-allports
bantime = 86400 ; 1 day
findtime = 86400 ; 1 day
maxretry = 3
protocol = 0-255
Other rules
Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.