Fail2Ban (Linux): Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 110: | Zeile 110: | ||
<pre> | <pre> | ||
sudo vi /etc/fail2ban/jail.d/recidive.conf | sudo vi /etc/fail2ban/jail.d/recidive.conf | ||
</pre> | |||
<pre> | |||
# Jail for more extended banning of persistent abusers | |||
# !!! WARNINGS !!! | |||
# 1. Make sure that your loglevel specified in fail2ban.conf/.local | |||
# is not at DEBUG level -- which might then cause fail2ban to fall into | |||
# an infinite loop constantly feeding itself with non-informative lines | |||
# 2. If you increase bantime, you must increase value of dbpurgeage | |||
# to maintain entries for failed logins for sufficient amount of time. | |||
# The default is defined in fail2ban.conf and you can override it in fail2ban.local | |||
[recidive] | |||
enabled = true | |||
logpath = /var/log/fail2ban.log | |||
banaction = nftables-allports | |||
bantime = 86400 ; 1 day | |||
findtime = 86400 ; 1 day | |||
maxretry = 3 | |||
protocol = 0-255 | |||
</pre> | </pre> | ||
Version vom 31. März 2020, 17:11 Uhr
Noch in Bearbeitung
Installation
iptables-
verhindert das iptables mitinstalliert wird.
sudo apt-get install fail2ban iptables-
Konfiguration
/etc/nftables/fail2ban.conf
Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden:
sudo mkdir /etc/nftables/
Danach die Datei
sudo vi /etc/nftables/fail2ban.conf
erstellen und mit folgendem Inhalt befüllen:
#!/usr/sbin/nft -f # Use ip as fail2ban doesn't support ipv6 yet table ip fail2ban { chain input { # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation type filter hook input priority 100; } }
Die zuvor erstellte Datei in
sudo vi /etc/nftables.conf
direkt nach flush ruleset
inkludieren:
#!/usr/sbin/nft -f flush ruleset include "/etc/nftables/fail2ban.conf" ...
Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden:
sudo systemctl reload nftables.service
/etc/fail2ban/action.d/nftables-common.local
sudo vi /etc/fail2ban/action.d/nftables-common.local
[Init] # Definition of the table used nftables_family = ip nftables_table = fail2ban # Drop packets blocktype = drop # Remove nftables prefix. Set names are limited to 15 char so we want them all nftables_set_prefix =
/etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
[DEFAULT] # Destination email for action that send you an email destemail = admin@<domain> # Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this sender = admin@<domain> # Default action. Will block user and send you an email with whois content and log lines. action = %(action_mwl)s # configure nftables banaction = nftables-multiport chain = input
/etc/fail2ban/jail.d/recidive.conf
sudo vi /etc/fail2ban/jail.d/recidive.conf
# Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. If you increase bantime, you must increase value of dbpurgeage # to maintain entries for failed logins for sufficient amount of time. # The default is defined in fail2ban.conf and you can override it in fail2ban.local [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = nftables-allports bantime = 86400 ; 1 day findtime = 86400 ; 1 day maxretry = 3 protocol = 0-255
Links
https://wiki.meurisse.org/wiki/Fail2Ban
https://wiki.ubuntuusers.de/fail2ban/
https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/
https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern
Zurück zu Ubuntu