Fail2Ban (Linux)

Aus Tutorials
Zur Navigation springen Zur Suche springen

Noch in Bearbeitung


Voraussetzungen

nftables muss installiert sein.

Installation

iptables- verhindert das iptables mitinstalliert wird. 

sudo apt-get install fail2ban iptables-

Konfiguration

/etc/nftables/fail2ban.conf

Das Verzeichnis /etc/nftables/ existiert nicht und muss erst angelegt werden: 

sudo mkdir /etc/nftables/

Danach die Datei 

sudo vi /etc/nftables/fail2ban.conf

erstellen und mit folgendem Inhalt befüllen: 

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
  chain input {
    # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
    type filter hook input priority 100;
  }
}

Die zuvor erstellte Datei in 

sudo vi /etc/nftables.conf

direkt nach flush ruleset inkludieren: 

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/fail2ban.conf"

...

Damit die neue Tabelle aktiv wird, muss die Konfiguration nochmals neu geladen werden: 

sudo systemctl reload nftables.service

/etc/fail2ban/action.d/nftables-common.local

sudo vi /etc/fail2ban/action.d/nftables-common.local

[Init]
# Definition of the table used
nftables_family = ip
nftables_table  = fail2ban

# Drop packets 
blocktype       = drop

# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =

/etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local

[DEFAULT]
# Destination email for action that send you an email
destemail = fail2ban@<domain>

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender    = fail2ban@<domain>

# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s

# configure nftables
banaction = nftables-multiport
chain     = input

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 10.0.0.0/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 120m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 120m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

/etc/fail2ban/jail.d/recidive.conf

sudo vi /etc/fail2ban/jail.d/recidive.conf

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled   = true
logpath   = /var/log/fail2ban.log
banaction = nftables-allports
bantime   = 86400 ; 1 day
findtime  = 86400 ; 1 day 
maxretry  = 3 
protocol  = 0-255

Service neustarten

Nach jeder Konfigurationsänderung muss der Service neu gestartet werden: 

sudo systemctl restart fail2ban.service

Programmkonfigurationen

Mailserver absichern)#Fail2Ban

Links

https://wiki.meurisse.org/wiki/Fail2Ban

https://wiki.ubuntuusers.de/fail2ban/

https://peters-christoph.de/blog/server/sicherheit-mit-fail2ban-erhoehen-postfix-ssh/

https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern


Zurück zu Ubuntu

Abgerufen von „https://tutorials.kirner.or.at/tutorials/index.php?title=Fail2Ban_(Linux)&oldid=7864