melchiorbv
/
Obsidian
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '59d2831f04'
${ noResults }
Obsidian/05.02 Networks/Configuring Fail2ban.md

14 KiB
Raw Blame History Escape

Alias Tag Date DocType Hierarchy TimeStamp location CollapseMetaTable
Fail2ban
fail2ban
💻
🖥️
🔎
2022-03-17 Personal NonRoot
47.3639129
8.55627491017841
true

Parent:: Selfhosting, Server Alias, Server Cloud, Server Tools, Server VPN

^Top

name Save
type command
action Save current file
id Save

^button-ConfiguringFail2banNSave

Configuring Fail2ban

title: Summary
collapse: open
This note runs through [fail2ban](https://www.fail2ban.org), a free open-source tool to monitor running programs and deamons on a VPs.


style: number

Installing Fail2Ban

#^Top

Type the following over command line and hit enter to begin installing Fail2Ban:

~~~bash
sudo apt-get install fail2ban
~~~

That will install the software for you however, by default Fail2Ban is only configured to ban failed SSH login attempts. For it to work more effectively, we need to enable some additional rules that will check the webserver or mtc logs for patterning indicating malicious activity.

Modifying the general settings in Fail2Ban

#^Top

First, we need to modify the configuration file that Fail2Ban uses to determine which application logs should be monitored, and what actions should be taken when offending entries are identified. 

For this you can use the supplied /etc/fail2ban/jail.conf file.

We must first however, copy this file over to prevent changes being overwritten if a package updated changes the default file.

To copy the default configuration file to a new file, named /etc/fail2ban/jail.local, use the following command:

~~~bash
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
~~~

Now we can open the newly copied file in order to set up the Apache log monitoring:

~~~bash
sudo nano /etc/fail2ban/jail.local
~~~

Adjusting the default settings

#^Top The first thing to look at within the configuration file are the defaults, which are found under the [DEFAULT] section within the file. These items set the general policy, and all of them can be individually overridden in specific jails.

Here there are a few options you may want to configure, depending on your requirements.

A common option to change is the ignoreip setting. This allows you to specify an IP address that Fail2Ban should ignore, and not ban under any circumstances. It can be helpful to add your own IP address or network to this list to avoid locking yourself out! To add an IP address, just append it to the line separated by a space, and make sure that the line is uncommented.

Another item you may want to change is the bantime setting. This setting determines how long an offending IP address will be banned from the system for. Ideally, you want to set this to a long enough time to be effective at dissuading malicious parties, but also short enough to allow legitimate users to correct their mistakes and access the system.

The final two items to look at are the findtime and maxretry settings. The findtime item specifies an amount of time, and the maxretry item indicates the number of login attempts that will be tolerated within that time period. If a client attempting to access the system makes more than maxtry attempts within the amount of time set by findtime, Fail2Ban will ban them.

Configuring with a MTA

#^Top

Postfix

In order to monitor Configuring Postfix's SMTP connections through Fail2Ban, a few steps need to be taken.

  1. Open the conf file
~~~bash
/etc/fail2ban/jail.conf
~~~
Or
~~~bash
/etc/fail2ban/jail.local
~~~

  1. Edit Postfix & create Postfix-auth
~~~bash
[postfix]
enabled = true
maxretry = 3
bantime = 1h
filter  = postfix
mode    = aggressive
action  = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
	telegram
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s

[postfix-auth]
enabled  = true
bantime  = 1h
filter   = postfix.auth
action   = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
        telegram
logpath  = /var/log/mail.log
ignoreip = 127.0.0.1/8
maxretry = 3
~~~

  1. Create postfix.auth filter
/etc/fail2ban/filter.d/postfix.auth.conf


~~~bash
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
~~~

  1. Restart fail2ban
~~~bash
sudo systemctl restart fail2ban
~~~

Configuring with a webserver

#^Top

Apache

This section focusses on enabling the Apache-specific jails that will monitor the logs of our web server for specific behaviour patterns, which it can then act upon.

Each jail within the configuration file is marked by a header, containing the jail name in square brackets.

  1. Open the conf file
~~~bash
/etc/fail2ban/jail.conf
~~~
Or
~~~bash
/etc/fail2ban/jail.local
~~~

  1. Add the following code
~~~bash
# detect password authentication failures
 [apache]
 enabled  = true
 filter   = apache-auth
 action   = iptables-multiport[name=auth, port="http,https"]
 logpath  = /var/log/httpd/fail2ban.log
 bantime  = 3600
 maxretry = 3
 ignoreip = 192.0.2.0

 # detect spammer robots crawling email addresses
 [apache-badbots]
 enabled  = true
 filter   = apache-badbots
 action   = iptables-multiport[name=badbots, port="http,https"]
 logpath  = /var/log/httpd/fail2ban.log
 bantime  = 3600
 maxretry = 1
 ignoreip = 192.0.2.0

 # detect potential search for exploits
 [apache-noscript]
 enabled  = true
 filter   = apache-noscript
 action   = iptables-multiport[name=noscript, port="http,https"]
 logpath  = /var/log/httpd/fail2ban.log
 bantime  = 3600
 maxretry = 6
 ignoreip = 192.0.2.0

 # detect Apache overflow attempts
 [apache-overflows]
 enabled  = true
 filter   = apache-overflows
 action   = iptables-multiport[name=overflows, port="http,https"]
 logpath  = /var/log/httpd/fail2ban.log
 bantime  = 3600
 maxretry = 2
 ignoreip = 192.0.2.0 
~~~

NOTE: make sure to substitute your own static IP address for “192.0.2.0” in the ignoreip field..

  1. Save and close the file, then restart Fail2Ban for the changes to take effect:
~~~bash
sudo systemctl restart fail2ban
~~~

Now you can use the following command to check the firewall rules added by Fail2Ban:

~~~bash
sudo iptables -L
~~~

You should see something like the following:

~~~bash
Chain fail2ban-apache (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-badbots (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-noscript (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-overflows (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere 
~~~

NGINX

#^Top This section focusses on enabling the NGINX-specific jails that will monitor the logs of our web server for specific behaviour patterns, which it can then act upon.

Each jail within the configuration file is marked by a header, containing the jail name in square brackets.

  1. Edit the conf file
~~~bash
sudo nano /etc/fail2ban/jail.conf
~~~

  1. Now, copy and paste which jails you prefer to use, remember to see the next section for the actual filter.
~~~bash
[nginx-403]
 enabled = true
 port     = http,https
 filter = nginx-403
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 4

[nginx-404]
 enabled = true
 port     = http,https
 filter = nginx-404
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 30 # <--- monitor and adjust, all servers are different.

[nginx-noagent]
 enabled = true
 port     = http,https
 filter = nginx-noagent
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[nginx-noauth]
 enabled = true
 filter = nginx-noauth
 action = iptables-allports
 logpath = %(nginx_error_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

[nginx-no-x-spam]
 enabled = true
 filter = nginx-no-x-spam
 action = iptables-allports
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

[nginx-noscript]
 enabled = true
 action = iptables-allports
 filter = nginx-noscript
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[nginx-noproxy]
 enabled = true
 action = iptables-allports
 filter = nginx-noproxy
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 0

[nginx-nowordpress]
 enabled = true
 action = iptables-allports
 filter = nginx-nowordpress
 logpath = %(nginx_access_log)s
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 3

[portscan-block]
 enabled = true
 action = iptables-allports
 filter = portscan-block
 logpath = /var/log/ufw.log  <--- this has to be direct to your UFW logs.
 bantime = 1440m # 1 day
 findtime = 1440m # 1 day
 maxretry = 5

~~~

  1. Next, you need to make a new filter file for each of these filters and put .conf at the end of the file.

Note, the created file is something you need to do yourself.

nginx-403 configuration

#^Top

/location/fail2ban/filter.d/nginx-403.conf


~~~bash
 [Definition]

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403

 ignoreregex =
~~~

nginx-404 configuration
/location/fail2ban/filter.d/nginx-404.conf


~~~bash
 [Definition]

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404

 ignoreregex =

~~~

nginx-noagent configuration
/location/fail2ban/filter.d/nginx-noagent.conf


~~~bash
 [Definition]

 failregex = ^<HOST> -.*"-" "-"$
                   ^<HOST> -.*"-" "curl.*"$

 ignoreregex =

~~~

nginx-noauth configuration

#^Top

/location/fail2ban/filter.d/nginx-noauth.conf


~~~bash
 [Definition]

 failregex = no user/password was provided for basic authentication.client:              user . was not found in.client:              user . password mismatch.*client: 

 ignoreregex =
~~~

nginx-no-x-spam configuration
/location/fail2ban/filter.d/nginx-no-x-spam.conf


~~~bash
 [Definition]

 failregex = {"log":"<HOST> .* ".*\\x.*" .*$

 ignoreregex =
~~~

nginx-noscript configuration
/location/fail2ban/filter.d/nginx-noscript.conf


~~~bash
 [Definition]

 failregex =     ^<HOST> -.*GET.*(\.asp|\.exe|\.pl|\.cgi|\.scgi)

 ignoreregex =
~~~

nginx-noproxy configuration

#^Top

/location/fail2ban/filter.d/nginx-noproxy.conf


~~~bash
 [Definition]

 failregex = ^<HOST> -.*GET http.*
                   ^<HOST> -.*CONNECT.*

 ignoreregex =
~~~

nginx-nowordpress configuration
/location/fail2ban/filter.d/nginx-nowordpress.conf


~~~bash
 [Definition]
            
 failregex = ^<HOST> -.*"(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc.php|\?author=1)
                   ^<HOST> -.* "(GET|POST|HEAD|PROPFIND) /+(?i)    (a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb)
             ^<HOST> -.* "(GET|POST|HEAD) /[^"]+.(asp|cgi|exe|jsp|mvc|pl)( |\?)
             ^<HOST> -.*(?i)(/bash|burger-imperia|changelog|hundejo|hvd-store|jorgee|masscan|pizza-imperia|pizza-tycoon|servlet|testproxy|uploadify)

 ignoreregex =

 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx

~~~

portscan-block configuration
/location/fail2ban/filter.d/portscan-block.conf


~~~bash
[Definition]

failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>

ignoreregex = SRC=(10.|172.1[6-9].|172.2[0-9].|172.3[0-1].|192.168.|fe\w:). DST=(static.ip.address.here|224.0.0.). PROTO=(2|UDP)(\s+|.* DPT=(1900|3702|5353|5355) LEN=\d*\s+)$

~~~

  1. Save and close the file, then restart Fail2Ban for the changes to take effect:
~~~bash
sudo systemctl restart fail2ban
~~~

Caddy

#^Top This section focusses on enabling the Configuring Caddy-specific jails that will monitor the logs of our web server for specific behaviour patterns, which it can then act upon.

Each jail within the configuration file is marked by a header, containing the jail name in square brackets.

  1. Open the conf file
~~~bash
/etc/fail2ban/jail.conf
~~~
Or
~~~bash
/etc/fail2ban/jail.local
~~~

  1. Add the following code
~~~bash
[caddy-4xx]
port    = http,https
logpath = /var/log/caddy/caddy.log
enabled = true
filter = caddy-4xx
action = iptables-multiport[name=auth, port="http,https"]
banTime = 3600
findTime = 600
maxretry = 5
~~~

  1. Create the filter file
/etc/fail2ban/filter.d/caddy-4xx.conf


~~~bash
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =
~~~

  1. Save and close the file, then restart Fail2Ban for the changes to take effect:
~~~bash
sudo systemctl restart fail2ban
~~~

Test fail2ban filters

#^Top

Fail2ban allows to test filters on a defined logfile through the below command. This enables to test filters when occurences are present in the log.

~~~bash
sudo fail2ban-regex < path to logfile > < filter name >
~~~

#^Top