Difference between revisions of "Fail2Ban"

From wiki
m (Intro)
(add amd64 instructions)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Debian}}Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
+
{{Debian}}
 +
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
 +
 
 +
== Prerequisite ==
 +
This guide will configure Fail2Ban to work with [[nftables]].
  
 
== Installation ==
 
== Installation ==
Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you migration pain later.<syntaxhighlight lang="console">
+
<syntaxhighlight lang="console">
# apt install fail2ban/stretch
+
# apt install fail2ban iptables-
 +
</syntaxhighlight>'''Note:''' Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you [[Apt#sources.list|configure stretch source]] before running the command bellow.
 +
<syntaxhighlight lang="console">
 +
# apt install fail2ban/stretch iptables-
 +
</syntaxhighlight>'''Note2:''' On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables<syntaxhighlight lang="console">
 +
# apt install fail2ban iptables- iptables:i386-
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
== Configuration ==
 
== Configuration ==
 +
 +
After you change configuration, or add a new jail, don't forget to restart fail2ban
 +
<syntaxhighlight lang="console">
 +
# service fail2ban restart
 +
</syntaxhighlight>
 +
 +
=== nftables ===
 +
nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 <code>nftables-*</code> files from [https://github.com/fail2ban/fail2ban/tree/master/config/action.d the official repository] and add them to <code>/etc/fail2ban/action.d</code>.
 +
 +
==== Create table ====
 +
Create file <code>/etc/nftables/fail2ban.conf</code><syntaxhighlight lang="ini">
 +
#!/usr/sbin/nft -f
 +
 +
# Use ip as fail2ban doesn't support ipv6 yet
 +
table ip fail2ban {
 +
        chain input {
 +
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
 +
                type filter hook input priority 100;
 +
        }
 +
}
 +
</syntaxhighlight>
 +
Then add line <code>include "/etc/nftables/fail2ban.conf"</code> in <code>/etc/nftables.conf</code>.
 +
 +
Finally activate your rule in nftables
 +
<syntaxhighlight lang="console">
 +
# nft -f /etc/nftables/fail2ban.conf
 +
</syntaxhighlight>
 +
 +
==== Set table in Fail2Ban ====
 +
Create file <code>/etc/fail2ban/action.d/nftables-common.local</code><syntaxhighlight lang="ini">
 +
[Init]
 +
# Definition of the table used
 +
nftables_family = ip
 +
nftables_table  = fail2ban
 +
 +
# Drop packets
 +
blocktype      = drop
 +
 +
# Remove nftables prefix. Set names are limited to 15 char so we want them all
 +
nftables_set_prefix =
 +
</syntaxhighlight>
  
 
=== Defaults ===
 
=== Defaults ===
Create file <code>/etc/fail2ban/jail.local</code><syntaxhighlight lang="ini">
+
Create file <code>/etc/fail2ban/jail.local</code>
 +
<syntaxhighlight lang="ini">
 
[DEFAULT]
 
[DEFAULT]
 
# Destination email for action that send you an email
 
# Destination email for action that send you an email
Line 19: Line 70:
 
# Default action. Will block user and send you an email with whois content and log lines.
 
# Default action. Will block user and send you an email with whois content and log lines.
 
action    = %(action_mwl)s
 
action    = %(action_mwl)s
 +
 +
# configure nftables
 +
banaction = nftables-multiport
 +
chain    = input
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
=== Recidive ===
 
=== Recidive ===
 +
The recidive rule ban users for a longer period if they have been banned multiple time in a row.
 +
 +
Create file <code>/etc/fail2ban/jail.d/recidive.conf</code>
 
<syntaxhighlight lang="ini">
 
<syntaxhighlight lang="ini">
 
# Jail for more extended banning of persistent abusers
 
# Jail for more extended banning of persistent abusers
Line 34: Line 92:
 
enabled  = true
 
enabled  = true
 
logpath  = /var/log/fail2ban.log
 
logpath  = /var/log/fail2ban.log
banaction = iptables-allports
+
banaction = nftables-allports
bantime  = 86400 ; 1 day. If you
+
bantime  = 86400 ; 1 day
 
findtime  = 86400 ; 1 day  
 
findtime  = 86400 ; 1 day  
 
maxretry  = 3  
 
maxretry  = 3  
protocol  = all
+
protocol  = 0-255
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
=== Other rules ===
 
=== Other rules ===
Rules specific to one program are documented on the program page. You can see the list on the [[:Category:Fail2Ban|fail2ban category page]]. [[Category:Install]]
+
Rules specific to one program are documented on the program page. You can see the list on the [[:Category:Fail2Ban|fail2ban category page]].
 +
[[Category:Linux Server]]
 
[[Category:Fail2Ban]]
 
[[Category:Fail2Ban]]
 +
[[Category:Debian Release]]

Latest revision as of 10:41, 25 October 2016

Warning Warning: These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions.

Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.

Prerequisite

This guide will configure Fail2Ban to work with nftables.

Installation

# apt install fail2ban iptables-

Note: Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.

# apt install fail2ban/stretch iptables-

Note2: On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables

# apt install fail2ban iptables- iptables:i386-

Configuration

After you change configuration, or add a new jail, don't forget to restart fail2ban

# service fail2ban restart

nftables

nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 nftables-* files from the official repository and add them to /etc/fail2ban/action.d.

Create table

Create file /etc/nftables/fail2ban.conf

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}

Then add line include "/etc/nftables/fail2ban.conf" in /etc/nftables.conf.

Finally activate your rule in nftables

# nft -f /etc/nftables/fail2ban.conf

Set table in Fail2Ban

Create file /etc/fail2ban/action.d/nftables-common.local

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

Defaults

Create file /etc/fail2ban/jail.local

[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@mydomain.example

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@mydomain.example

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

Recidive

The recidive rule ban users for a longer period if they have been banned multiple time in a row.

Create file /etc/fail2ban/jail.d/recidive.conf

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 86400 ; 1 day
findtime  = 86400 ; 1 day 
maxretry  = 3 
protocol  = 0-255

Other rules

Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.