Difference between revisions of "Fail2Ban"
From wiki
m (Category:Debian Release) |
(add small precisions) |
||
| Line 1: | Line 1: | ||
| − | {{Debian}}Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server. | + | {{Debian}} |
| + | Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server. | ||
== Installation == | == Installation == | ||
| − | Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you migration pain later.<syntaxhighlight lang="console"> | + | Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you [[Apt#sources.list|configure stretch source]] before running the command bellow. |
| + | <syntaxhighlight lang="console"> | ||
# apt install fail2ban/stretch | # apt install fail2ban/stretch | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Configuration == | == Configuration == | ||
| + | |||
| + | After you change configuration, or add a new jail, don't forget to restart fail2ban | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # service fail2ban restart | ||
| + | </syntaxhighlight> | ||
=== Defaults === | === Defaults === | ||
| − | Create file <code>/etc/fail2ban/jail.local</code><syntaxhighlight lang="ini"> | + | Create file <code>/etc/fail2ban/jail.local</code> |
| + | <syntaxhighlight lang="ini"> | ||
[DEFAULT] | [DEFAULT] | ||
# Destination email for action that send you an email | # Destination email for action that send you an email | ||
| Line 22: | Line 30: | ||
=== Recidive === | === Recidive === | ||
| + | The recidive rule ban users for a longer period if they have been banned multiple time in a row. | ||
| + | |||
| + | Create file <code>/etc/fail2ban/jail.d/recidive.conf</code> | ||
<syntaxhighlight lang="ini"> | <syntaxhighlight lang="ini"> | ||
# Jail for more extended banning of persistent abusers | # Jail for more extended banning of persistent abusers | ||
| Line 35: | Line 46: | ||
logpath = /var/log/fail2ban.log | logpath = /var/log/fail2ban.log | ||
banaction = iptables-allports | banaction = iptables-allports | ||
| − | bantime = 86400 ; 1 day | + | bantime = 86400 ; 1 day |
findtime = 86400 ; 1 day | findtime = 86400 ; 1 day | ||
maxretry = 3 | maxretry = 3 | ||
| Line 42: | Line 53: | ||
=== Other rules === | === Other rules === | ||
| − | Rules specific to one program are documented on the program page. You can see the list on the [[:Category:Fail2Ban|fail2ban category page]]. [[Category:Install]] | + | Rules specific to one program are documented on the program page. You can see the list on the [[:Category:Fail2Ban|fail2ban category page]]. |
| + | [[Category:Install]] | ||
[[Category:Fail2Ban]] | [[Category:Fail2Ban]] | ||
[[Category:Debian Release]] | [[Category:Debian Release]] | ||
Revision as of 14:06, 6 March 2016
 Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.
Installation
Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.
# apt install fail2ban/stretch
Configuration
After you change configuration, or add a new jail, don't forget to restart fail2ban
# service fail2ban restart
Defaults
Create file /etc/fail2ban/jail.local
[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@mydomain.example
# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = fail2ban@mydomain.example
# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s
Recidive
The recidive rule ban users for a longer period if they have been banned multiple time in a row.
Create file /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
# to maintain entries for failed logins for sufficient amount of time.
# The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = iptables-allports
bantime = 86400 ; 1 day
findtime = 86400 ; 1 day
maxretry = 3
protocol = all
Other rules
Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.
