Fail2Ban (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
{{note|Noch in Bearbeitung}}
== Voraussetzungen ==
== Voraussetzungen ==


Zeile 69: Zeile 66:


=== /etc/fail2ban/fail2ban.local ===
=== /etc/fail2ban/fail2ban.local ===
Die Datei


<pre>
<pre>
sudo vi /etc/fail2ban/fail2ban.local
sudo vi /etc/fail2ban/fail2ban.local
</pre>
</pre>
anlegen und mit folgendem Inhalt befüllen:


<pre>
<pre>
[Definition]
# Options: dbpurgeage
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Notes.: Sets age at which bans should be purged from the database
Zeile 82: Zeile 85:


=== /etc/fail2ban/action.d/nftables-common.local ===
=== /etc/fail2ban/action.d/nftables-common.local ===
Die Datei


<pre>
<pre>
sudo vi /etc/fail2ban/action.d/nftables-common.local
sudo vi /etc/fail2ban/action.d/nftables-common.local
</pre>
</pre>
anlegen und mit folgendem Inhalt befüllen:


<pre>
<pre>
Zeile 131: Zeile 138:


# "bantime" is the number of seconds that a host is banned.
# "bantime" is the number of seconds that a host is banned.
bantime  = 120m
bantime  = 7200


# A host is banned if it has generated "maxretry" during the last "findtime"
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
# seconds.
findtime  = 120m
findtime  = 7200


# "maxretry" is the number of failures before a host get banned.
# "maxretry" is the number of failures before a host get banned.
Zeile 176: Zeile 183:
== Programmkonfigurationen ==
== Programmkonfigurationen ==


[[Mailserver absichern (Ubuntu 18.04)#Fail2Ban|Mailserver absichern)#Fail2Ban]]
[[Mailserver absichern (Ubuntu 18.04)#Fail2Ban|Mailserver absichern#Fail2Ban]]
 
[[Nextcloud absichern (Ubuntu 18.04)#Fail2Ban|Nextcloud absichern#Fail2Ban]]
 
[[OSCam absichern (Ubuntu 18.04)#Fail2Ban|OSCam absichern#Fail2Ban]]
 
== Permanet Bans ==
 
[[Fail2Ban - IP Adressen speichern (Linux)|Fail2Ban - IP Adressen speichern]]
 
== Probleme ==
 
=== Line references path below legacy directory /var/run/ ===
<pre>
Jun  5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
Jun  5 07:28:58 mail1 systemd-tmpfiles[276]:
[/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
</pre>
 
<pre>
ToDo
</pre>


== Links ==
== Links ==

Aktuelle Version vom 11. Oktober 2022, 08:16 Uhr

Voraussetzungen

nftables muss installiert sein.

Installation

iptables- verhindert das iptables mitinstalliert wird.

sudo apt-get install fail2ban iptables-

Konfiguration

/etc/nftables/fail2ban.conf

Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden:

sudo mkdir /etc/nftables/

Danach die Datei

sudo vi /etc/nftables/fail2ban.conf

erstellen und mit folgendem Inhalt befüllen:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
  chain input {
    # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
    type filter hook input priority 100;
  }
}

Die zuvor erstellte Datei in

sudo vi /etc/nftables.conf

direkt nach flush ruleset inkludieren:

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/fail2ban.conf"

...

Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden:

sudo systemctl reload nftables.service

/etc/fail2ban/fail2ban.local

Die Datei

sudo vi /etc/fail2ban/fail2ban.local

anlegen und mit folgendem Inhalt befüllen:

[Definition]

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 432000

/etc/fail2ban/action.d/nftables-common.local

Die Datei

sudo vi /etc/fail2ban/action.d/nftables-common.local

anlegen und mit folgendem Inhalt befüllen:

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

/etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local
[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@<domain>

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@<domain>

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 10.0.0.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 7200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

/etc/fail2ban/jail.d/recidive.conf

sudo vi /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 432000 ; 5 days
findtime  = 432000 ; 5 days 
maxretry  = 3 
protocol  = 0-255

Service neustarten

Nach jeder Konfigurationsänderung muss der Service neu gestartet werden:

sudo systemctl restart fail2ban.service

Programmkonfigurationen

Mailserver absichern#Fail2Ban

Nextcloud absichern#Fail2Ban

OSCam absichern#Fail2Ban

Permanet Bans

Fail2Ban - IP Adressen speichern

Probleme

Line references path below legacy directory /var/run/

Jun  5 07:28:58 mail1 systemd-tmpfiles[155]: [/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
Jun  5 07:28:58 mail1 systemd-tmpfiles[276]:
[/usr/lib/tmpfiles.d/fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
ToDo

Links

https://wiki.meurisse.org/wiki/Fail2Ban

https://wiki.ubuntuusers.de/fail2ban/

https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/

https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern


Zurück zu Ubuntu