Fail2Ban

From wiki
Revision as of 22:54, 27 March 2016 by Vincent (talk | contribs) (Switch to nftables)
Warning Warning: These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions.

Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.

Prerequisite

This guide will configure Fail2Ban to work with nftables.

Installation

Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow.

# apt install fail2ban/stretch

Configuration

After you change configuration, or add a new jail, don't forget to restart fail2ban

# service fail2ban restart

nftables

nftables support was added in release 0.9.4. If you have an older release, you can copy the 3 nftables-* files from the official repository and add them to /etc/fail2ban/action.d.

Create table

Create file /etc/nftables/fail2ban.conf

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}

Then add line include "/etc/nftables/fail2ban.conf" in /etc/nftables.conf. Finally activate your rule in nftables

# nft -f /etc/nftables/fail2ban.conf

Set table in Fail2Ban

Create file /etc/fail2ban/action.d/nftables-common.local

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

Defaults

Create file /etc/fail2ban/jail.local

[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@mydomain.example

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@mydomain.example

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

Recidive

The recidive rule ban users for a longer period if they have been banned multiple time in a row.

Create file /etc/fail2ban/jail.d/recidive.conf

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 86400 ; 1 day
findtime  = 86400 ; 1 day 
maxretry  = 3 
protocol  = 0-255

Other rules

Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.