Fail2ban
Introduction
Fail2ban is a python application that scans logs and can protect services from authentication and other attacks.
install
- install
apt install fail2ban
- copy jail.conf to jail.local because jail.conf is over written when fail2ban is updated.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- customise the defaults section in jail.local
[DEFAULT] bantime = 10h ignoreip = 10.10.10.0/24 maxretry = 5 enabled=false
remove
- fully remove
apt remove fail2ban apt purge –auto-remove fail2ban
security
- You should always run fail2ban on your ssh server to block users that are trying to login and use your system
sudo apt install fail2ban
- edit /etc/ssh/sshd_config and ensure RootLogin no
Note: Your python might reject 10h in which case use seconds 10*60*60=36000
rules
sshd
- ensure that the sshd jail is enabled in your /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf
- set the sshd access log (on debian it is /var/log/auth.log
- set the bantime (seconds) (minutes m) (hours h) (days d)
bantime=10h
vi /etc/fail2ban/jail.d/local.conf
[sshd] enabled = true filter=sshd findtime = 10m bantime = 15m maxretry = 5 ignoreip=10.10.10.0/24 138.44.192.14 1.141.0.0/16 124.168.39.77 banaction = iptables[name=sshd,port=ssh,protocol=tcp]
geoip
You can activate a geolocation based ruleset to prevent access to sshd
- download geoip code base
apt install geoip-bin geoip-database
- include the geoi-iptables-multiport.conf action
cd cd /etc/fail2ban/action.d/ wget https://raw.githubusercontent.com/AbhishekGhosh/fail2ban-geo/master/action.d/geo-iptables-multiport.conf
- edit the action
vi /etc/fail2ban/action.d/geo-iptables-multiport.conf
- include accepted country names
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Excludes PH|Philippines from banning.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = IP=<ip> &&
COUNTRY=$(geoiplookup $IP | egrep "<country_list>") && [ "$COUNTRY" ] ||
(printf %%b "<daemon_list>: $IP\n" >> <file>)
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
[Init]
# Option: country_list
# Notes.: List of exempted countries separated by pipe "|"
# Values: STR Default:
#
country_list = AU|US
# Option: file
# Notes.: hosts.deny file path.
# Values: STR Default: /etc/hosts.deny
#
file = /etc/hosts.deny
# Option: daemon_list
# Notes: The list of services that this action will deny. See the man page
# for hosts.deny/hosts_access. Default is all services.
# Values: STR Default: ALL
daemon_list = sshd
geoip rule
vi /etc/fail2ban/jail.d/local.conf or /etc/fail2ban/jail.local
Note: this should not be placed into the sshd.conf
[geoip] enabled = true port = ssh filter = sshd banaction = geo-iptables-multiport logpath = /var/log/auth.log maxretry = 3 ignoreip=10.10.10.0/24 192.168.0.0/24 192.169.1.0/24 138.44.192.14 1.141.0.0/16 124.168.39.77 bantime = 10h findtime = 10h
- alter the action to ban the recalitrant from accessing all services, not just sshd
vi /etc/fail2ban/action.d/geo-iptables-multiport.conf
- change the last line to ALL
daemon_list = ALL
Since I have two filters, one for retries and the other for geoip blocking we have these results in the /var/log/fail2ban.log
2020-09-30 17:57:14,402 fail2ban.filter [26489]: INFO [geoip] Found 110.167.231.171 - 2020-09-30 17:57:14 2020-09-30 17:57:14,995 fail2ban.actions [26489]: WARNING [geoip] 110.167.231.171 already banned 2020-09-30 18:03:09,174 fail2ban.filter [26489]: INFO [geoip] Found 110.167.231.171 - 2020-09-30 18:03:09 2020-09-30 18:03:09,174 fail2ban.filter [26489]: INFO [sshd] Found 110.167.231.171 - 2020-09-30 18:03:09 2020-09-30 18:03:09,176 fail2ban.filter [26489]: INFO [geoip] Found 110.167.231.171 - 2020-09-30 18:03:09 2020-09-30 18:03:09,177 fail2ban.filter [26489]: INFO [sshd] Found 110.167.231.171 - 2020-09-30 18:03:09 2020-09-30 18:03:09,243 fail2ban.actions [26489]: NOTICE [sshd] Ban 110.167.231.171 2020-09-30 18:03:11,098 fail2ban.filter [26489]: INFO [geoip] Found 110.167.231.171 - 2020-09-30 18:03:11 2020-09-30 18:03:11,099 fail2ban.filter [26489]: INFO [sshd] Found 110.167.231.171 - 2020-09-30 18:03:11 2020-09-30 18:03:11,465 fail2ban.actions [26489]: WARNING [geoip] 110.167.231.171 already banned
apache2
public-apache
[public-apache] enabled= true port = http,https filter = apache-auth logpath = /data/public-wiki/www/log/error.log ignoreip=127.0.0.0/8 maxretry = 2
irigis
[apache] enabled= true port = http,https filter = apache-auth logpath = /mnt/repos/www/ir-gis.com/log/error.log ignoreip=127.0.0.1 maxretry = 2
nginx
nginx can be hardened by installing fail2ban filters: Follow the installation and customisation instructions.
The filters are then incorporated by editing you /etc/fail2ban/jail.local or /etc/fail2ban/filter.d/nginx.conf or a config file of your preference following these steps: [1] [2] [3]
- enable basic authentication checking
[nginx-http-auth] enabled = true port = http,https logpath = %(nginx_error_log)
- modify the filter vi /etc/fail2ban/filter.d/nginx-http-auth.conf
# fail2ban filter configuration for nginx
# modified by RBH 20211113 to make it work at all
[Definition]
failregex = ^ \[(info|error)\] \d+#\d+: \*\d+ (user "[^"]+":? password mismatch|no user\/password was provided for basic authentication|user "[^"]+" was not found in "[^"]+"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "[^"]*")?\s*$
ignoreregex =
datepattern = {^LN-BEG}
# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.
#
# Author: Daniel Black
- enable botsearch
[nginx-botsearch] enable=true port = http,https logpath = %(nginx_error_log)s maxretry = 2
- enable nginx-nohome
nginx-nohome] enabled = true port = http,https filter = nginx-nohome logpath = /var/log/nginx/access.log maxretry = 2
- enable nginx-noproxy
[nginx-noproxy] enabled = true port = http,https filter = nginx-noproxy logpath = /var/log/nginx/access.log maxretry = 2
- DOS
- rate limit https://rtcamp.com/tutorials/nginx/fail2ban/
sshd interactions
- install ssh
sudo apt install ssh
- configuration
sudo vi /etc/ssh/sshd_config
It is a good idea to setup a jail to provide user or group privileges that are restricted when handing out ssh tunnel/keys.
- Add some groups to allow various users privileges
addgroup allow_ssh addgroup allow_tunnel
- any user permitted to tunnel is added to allow_tunnel
- any user permitted to ssh is added to allow_ssh group
- establish the ssh permissions by editting sshd_config
AllowGroups allow_ssh
AllowTcpForwarding no
AllowAgentForwarding no
X11Forwarding no
PermitTunnel no
Match Group allow_tunnel
AllowTcpForwarding yes
AllowAgentForwarding yes
- you can also put users into a chroot and set various options such as PermitOpen access to a server they are permitted to connect to:
Match group proxy-only
# AllowTcpForwarding no
ChrootDirectory %h
ForceCommand /sbin/nologin
# GatewayPorts yes
# KbdInteractiveAuthentication no
# PasswordAuthentication no
# PubkeyAuthentication yes
# PermitRootLogin no
PermitTTY no
PermitOpen 192.168.88.49:22
- See https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/ for details on a sshd user chroot jail
flushing rules
You can list the rules via
iptables -L
You can flush all the f2b-ssh rules via:
iptables -F f2b-sshd
You can flush all the f2b-nginx-http-auth rules via:
iptables -F f2b-nginx-http-auth
Don't forget to fix your problems with an ignoreip for your remote ip that you just blocked, and you must restart fail2ban to get all the other rules put back to keep out the nasties. You can only fix your server if you have at least two servers you can remote in with, or you have direct console access though. Hint to keep two ssh tunnels going when you work remote so if you accidentally lock yourself out of one you can be extra careful with the other one and then ssh over to the former to fix the rules to unblock the new remote IP. Of course you must also include ignoreip for your local network machines before you leave and work remote to allow you to cross over from another machine and fix things while setting up a new remote location.
configuration include
Configuration files can include other (defining common variables) configuration files, which is often used in Filters and Actions. Such inclusions are defined in a section called [INCLUDES]:
- before - indicates that the specified file is to be parsed before the current file.
- after - indicates that the specified file is to be parsed after the current file.
See also
See also listsd.
references
- ↑ fail2ban nginx filters https://gist.github.com/JulienBlancher/48852f9d0b0ef7fd64c3
- ↑ how to protect an nginx server with fail2ban on ubuntu https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
- ↑ fail2ban ndinx DOS https://lazertechnologies.com/blog/secure-your-api-from-ddos-attacks-with-nginx-and-fail2ban
- https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
- pihole dns httpd etc https://munkjensen.net/wiki/index.php/Access_control_using_Fail2Ban_and_geoip
