Fail2Ban (Linux): Unterschied zwischen den Versionen
(19 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
== Voraussetzungen == | |||
[[Nftables (Linux)|nftables]] muss installiert sein. | |||
== Installation == | == Installation == | ||
Zeile 62: | Zeile 63: | ||
<pre> | <pre> | ||
sudo systemctl reload nftables.service | sudo systemctl reload nftables.service | ||
</pre> | |||
=== /etc/fail2ban/fail2ban.local === | |||
Die Datei | |||
<pre> | |||
sudo vi /etc/fail2ban/fail2ban.local | |||
</pre> | |||
anlegen und mit folgendem Inhalt befüllen: | |||
<pre> | |||
[Definition] | |||
# Options: dbpurgeage | |||
# Notes.: Sets age at which bans should be purged from the database | |||
# Values: [ SECONDS ] Default: 86400 (24hours) | |||
dbpurgeage = 432000 | |||
</pre> | </pre> | ||
=== /etc/fail2ban/action.d/nftables-common.local === | === /etc/fail2ban/action.d/nftables-common.local === | ||
Die Datei | |||
<pre> | <pre> | ||
sudo vi /etc/fail2ban/action.d/nftables-common.local | sudo vi /etc/fail2ban/action.d/nftables-common.local | ||
</pre> | </pre> | ||
anlegen und mit folgendem Inhalt befüllen: | |||
<pre> | <pre> | ||
Zeile 92: | Zeile 116: | ||
[DEFAULT] | [DEFAULT] | ||
# Destination email for action that send you an email | # Destination email for action that send you an email | ||
destemail = | destemail = fail2ban@<domain> | ||
# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this | # Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this | ||
sender = | sender = fail2ban@<domain> | ||
# Default action. Will block user and send you an email with whois content and log lines. | # Default action. Will block user and send you an email with whois content and log lines. | ||
Zeile 104: | Zeile 128: | ||
chain = input | chain = input | ||
# "ignorself" specifies whether the local resp. own IP addresses should be ignored | |||
# (default is true). Fail2ban will not ban a host which matches such addresses. | |||
ignorself = true | |||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban | |||
# will not ban a host which matches an address in this list. Several addresses | |||
# can be defined using space (and/or comma) separator. | |||
ignoreip = 10.0.0.0/24 | |||
# "bantime" is the number of seconds that a host is banned. | |||
bantime = 7200 | |||
# A host is banned if it has generated "maxretry" during the last "findtime" | |||
# seconds. | |||
findtime = 7200 | |||
# "maxretry" is the number of failures before a host get banned. | |||
maxretry = 5 | |||
</pre> | </pre> | ||
Zeile 125: | Zeile 167: | ||
logpath = /var/log/fail2ban.log | logpath = /var/log/fail2ban.log | ||
banaction = nftables-allports | banaction = nftables-allports | ||
bantime = | bantime = 432000 ; 5 days | ||
findtime = | findtime = 432000 ; 5 days | ||
maxretry = 3 | maxretry = 3 | ||
protocol = 0-255 | protocol = 0-255 | ||
Zeile 140: | Zeile 182: | ||
== Programmkonfigurationen == | == Programmkonfigurationen == | ||
[[Mailserver absichern (Ubuntu 18.04)#Fail2Ban|Mailserver absichern#Fail2Ban]] | |||
[[Nextcloud absichern (Ubuntu 18.04)#Fail2Ban|Nextcloud absichern#Fail2Ban]] | |||
[[OSCam absichern (Ubuntu 18.04)#Fail2Ban|OSCam absichern#Fail2Ban]] | |||
== Permanet Bans == | |||
[[Fail2Ban - IP Adressen speichern (Linux)|Fail2Ban - IP Adressen speichern]] | |||
== Probleme == | |||
=== Line references path below legacy directory /var/run/ === | |||
<pre> | |||
Jun 5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly. | |||
Jun 5 07:28:58 mail1 systemd-tmpfiles[276]: | |||
[/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly. | |||
</pre> | |||
<pre> | |||
ToDo | |||
</pre> | |||
== Links == | == Links == |
Aktuelle Version vom 11. Oktober 2022, 08:16 Uhr
Voraussetzungen
nftables muss installiert sein.
Installation
iptables-
verhindert das iptables mitinstalliert wird.
sudo apt-get install fail2ban iptables-
Konfiguration
/etc/nftables/fail2ban.conf
Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden:
sudo mkdir /etc/nftables/
Danach die Datei
sudo vi /etc/nftables/fail2ban.conf
erstellen und mit folgendem Inhalt befüllen:
#!/usr/sbin/nft -f # Use ip as fail2ban doesn't support ipv6 yet table ip fail2ban { chain input { # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation type filter hook input priority 100; } }
Die zuvor erstellte Datei in
sudo vi /etc/nftables.conf
direkt nach flush ruleset
inkludieren:
#!/usr/sbin/nft -f flush ruleset include "/etc/nftables/fail2ban.conf" ...
Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden:
sudo systemctl reload nftables.service
/etc/fail2ban/fail2ban.local
Die Datei
sudo vi /etc/fail2ban/fail2ban.local
anlegen und mit folgendem Inhalt befüllen:
[Definition] # Options: dbpurgeage # Notes.: Sets age at which bans should be purged from the database # Values: [ SECONDS ] Default: 86400 (24hours) dbpurgeage = 432000
/etc/fail2ban/action.d/nftables-common.local
Die Datei
sudo vi /etc/fail2ban/action.d/nftables-common.local
anlegen und mit folgendem Inhalt befüllen:
[Init] # Definition of the table used nftables_family = ip nftables_table = fail2ban # Drop packets blocktype = drop # Remove nftables prefix. Set names are limited to 15 char so we want them all nftables_set_prefix =
/etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
[DEFAULT] # Destination email for action that send you an email destemail = fail2ban@<domain> # Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this sender = fail2ban@<domain> # Default action. Will block user and send you an email with whois content and log lines. action = %(action_mwl)s # configure nftables banaction = nftables-multiport chain = input # "ignorself" specifies whether the local resp. own IP addresses should be ignored # (default is true). Fail2ban will not ban a host which matches such addresses. ignorself = true # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 10.0.0.0/24 # "bantime" is the number of seconds that a host is banned. bantime = 7200 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 7200 # "maxretry" is the number of failures before a host get banned. maxretry = 5
/etc/fail2ban/jail.d/recidive.conf
sudo vi /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. If you increase bantime, you must increase value of dbpurgeage # to maintain entries for failed logins for sufficient amount of time. # The default is defined in fail2ban.conf and you can override it in fail2ban.local [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = nftables-allports bantime = 432000 ; 5 days findtime = 432000 ; 5 days maxretry = 3 protocol = 0-255
Service neustarten
Nach jeder Konfigurationsänderung muss der Service neu gestartet werden:
sudo systemctl restart fail2ban.service
Programmkonfigurationen
Permanet Bans
Fail2Ban - IP Adressen speichern
Probleme
Line references path below legacy directory /var/run/
Jun 5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly. Jun 5 07:28:58 mail1 systemd-tmpfiles[276]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
ToDo
Links
https://wiki.meurisse.org/wiki/Fail2Ban
https://wiki.ubuntuusers.de/fail2ban/
https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/
https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern
Zurück zu Ubuntu