Fail2Ban (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(30 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
{{note|Noch in Bearbeitung}}
== Voraussetzungen ==


[[Nftables (Linux)|nftables]] muss installiert sein.


== Installation ==
== Installation ==
Zeile 11: Zeile 12:


== Konfiguration ==
== Konfiguration ==
=== /etc/nftables/fail2ban.conf ===
Das Verzeichnis ''/etc/nftables/'' existiert nicht und muss erst angelegt werden:


<pre>
<pre>
sudo mkdir /etc/nftables/
sudo mkdir /etc/nftables/
</pre>
</pre>
Danach die Datei


<pre>
<pre>
sudo vi /etc/nftables/fail2ban.conf
sudo vi /etc/nftables/fail2ban.conf
</pre>
erstellen und mit folgendem Inhalt befüllen:
<pre>
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
  chain input {
    # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
    type filter hook input priority 100;
  }
}
</pre>
Die zuvor erstellte Datei in
<pre>
sudo vi /etc/nftables.conf
</pre>
direkt nach <code>flush ruleset</code> inkludieren:
<pre>
#!/usr/sbin/nft -f
flush ruleset
include "/etc/nftables/fail2ban.conf"
...
</pre>
Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden:
<pre>
sudo systemctl reload nftables.service
</pre>
=== /etc/fail2ban/fail2ban.local ===
Die Datei
<pre>
sudo vi /etc/fail2ban/fail2ban.local
</pre>
anlegen und mit folgendem Inhalt befüllen:
<pre>
[Definition]
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 432000
</pre>
=== /etc/fail2ban/action.d/nftables-common.local ===
Die Datei
<pre>
sudo vi /etc/fail2ban/action.d/nftables-common.local
</pre>
anlegen und mit folgendem Inhalt befüllen:
<pre>
[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban
# Drop packets
blocktype      = drop
# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =
</pre>
=== /etc/fail2ban/jail.local ===
<pre>
sudo vi /etc/fail2ban/jail.local
</pre>
<pre>
[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@<domain>
# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@<domain>
# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s
# configure nftables
banaction = nftables-multiport
chain    = input
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 10.0.0.0/24
# "bantime" is the number of seconds that a host is banned.
bantime  = 7200
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
</pre>
=== /etc/fail2ban/jail.d/recidive.conf ===
<pre>
sudo vi /etc/fail2ban/jail.d/recidive.conf
</pre>
<pre>
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled  = true
logpath  = /var/log/fail2ban.log
banaction = nftables-allports
bantime  = 432000 ; 5 days
findtime  = 432000 ; 5 days
maxretry  = 3
protocol  = 0-255
</pre>
== Service neustarten ==
Nach jeder Konfigurationsänderung muss der Service neu gestartet werden:
<pre>
sudo systemctl restart fail2ban.service
</pre>
== Programmkonfigurationen ==
[[Mailserver absichern (Ubuntu 18.04)#Fail2Ban|Mailserver absichern#Fail2Ban]]
[[Nextcloud absichern (Ubuntu 18.04)#Fail2Ban|Nextcloud absichern#Fail2Ban]]
[[OSCam absichern (Ubuntu 18.04)#Fail2Ban|OSCam absichern#Fail2Ban]]
== Permanet Bans ==
[[Fail2Ban - IP Adressen speichern (Linux)|Fail2Ban - IP Adressen speichern]]
== Probleme ==
=== Line references path below legacy directory /var/run/ ===
<pre>
Jun  5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
Jun  5 07:28:58 mail1 systemd-tmpfiles[276]:
[/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
</pre>
<pre>
ToDo
</pre>
</pre>


Aktuelle Version vom 11. Oktober 2022, 08:16 Uhr

Voraussetzungen

nftables muss installiert sein.

Installation

iptables- verhindert das iptables mitinstalliert wird. 

sudo apt-get install fail2ban iptables-

Konfiguration

/etc/nftables/fail2ban.conf

Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden: 

sudo mkdir /etc/nftables/

Danach die Datei 

sudo vi /etc/nftables/fail2ban.conf

erstellen und mit folgendem Inhalt befüllen: 

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
  chain input {
    # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
    type filter hook input priority 100;
  }
}

Die zuvor erstellte Datei in 

sudo vi /etc/nftables.conf

direkt nach flush ruleset inkludieren: 

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/fail2ban.conf"

...

Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden: 

sudo systemctl reload nftables.service

/etc/fail2ban/fail2ban.local

Die Datei 

sudo vi /etc/fail2ban/fail2ban.local

anlegen und mit folgendem Inhalt befüllen: 

[Definition]

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 432000

/etc/fail2ban/action.d/nftables-common.local

Die Datei 

sudo vi /etc/fail2ban/action.d/nftables-common.local

anlegen und mit folgendem Inhalt befüllen: 

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

/etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local

[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@<domain>

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@<domain>

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 10.0.0.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 7200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

/etc/fail2ban/jail.d/recidive.conf

sudo vi /etc/fail2ban/jail.d/recidive.conf

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 432000 ; 5 days
findtime  = 432000 ; 5 days 
maxretry  = 3 
protocol  = 0-255

Service neustarten

Nach jeder Konfigurationsänderung muss der Service neu gestartet werden: 

sudo systemctl restart fail2ban.service

Programmkonfigurationen

Mailserver absichern#Fail2Ban

Nextcloud absichern#Fail2Ban

OSCam absichern#Fail2Ban

Permanet Bans

Fail2Ban - IP Adressen speichern

Probleme

Line references path below legacy directory /var/run/

Jun  5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
Jun  5 07:28:58 mail1 systemd-tmpfiles[276]:
[/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.

ToDo

Links

https://wiki.meurisse.org/wiki/Fail2Ban

https://wiki.ubuntuusers.de/fail2ban/

https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/

https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern


Zurück zu Ubuntu

Abgerufen von „https://tutorials.kirner.or.at/tutorials/index.php?title=Fail2Ban_(Linux)&oldid=10599