Fail2Ban (Linux): Unterschied zwischen den Versionen

Voraussetzungen

nftables muss installiert sein.

Installation

iptables- verhindert das iptables mitinstalliert wird.

sudo apt-get install fail2ban iptables-

Konfiguration

/etc/nftables/fail2ban.conf

Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden:

sudo mkdir /etc/nftables/

Danach die Datei

sudo vi /etc/nftables/fail2ban.conf

erstellen und mit folgendem Inhalt befüllen:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
  chain input {
    # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
    type filter hook input priority 100;
  }
}

Die zuvor erstellte Datei in

sudo vi /etc/nftables.conf

direkt nach flush ruleset inkludieren:

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/fail2ban.conf"

...

Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden:

sudo systemctl reload nftables.service

/etc/fail2ban/fail2ban.local

sudo vi /etc/fail2ban/fail2ban.local

[Definition]

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 432000

/etc/fail2ban/action.d/nftables-common.local

sudo vi /etc/fail2ban/action.d/nftables-common.local

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

/etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local

[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@<domain>

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@<domain>

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 10.0.0.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 7200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

/etc/fail2ban/jail.d/recidive.conf

sudo vi /etc/fail2ban/jail.d/recidive.conf

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 432000 ; 5 days
findtime  = 432000 ; 5 days 
maxretry  = 3 
protocol  = 0-255

Service neustarten

Nach jeder Konfigurationsänderung muss der Service neu gestartet werden:

sudo systemctl restart fail2ban.service

Programmkonfigurationen

Mailserver absichern)#Fail2Ban

Links

https://wiki.meurisse.org/wiki/Fail2Ban

https://wiki.ubuntuusers.de/fail2ban/

https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/

https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern

Zurück zu Ubuntu