Difference between revisions of "Talk:Fail2ban"

From SME Server
Jump to navigationJump to search
m
(install fail2ban-subnets)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Note box|Please do not edit the main how-to directly if you want to provide feedback or experiences. The blog style (first person) writing is not consistent with the 'documentation' style of the main how-to. The owner of the page or someone from the doc team can format your information if it's invalided.}}
 
  
 +
==Proposed addition to "user contributions" section==
 +
[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 04:43, 19 August 2017 (CEST)
  
'''With many thanks to the author for his work''' templating the install of Fail2Ban into SME8/9 here are some notes for introduction:
+
Note: these procedures get the files installed and allow fail2ban and fail2ban-subnets to run without any errors, but I don't know if fail2ban is actually working after making these changes...
  
* F2B adds to SMEserver's own high security after SME has already reported forbidden access, file not found or a relaying denied error. F2B filters read appropriate logs and associated jails implement timed bans (by dropping all packets arriving from the culprit IP). Another F2B action sends a notifying email.  
+
===Ban offending subnets===
 +
[https://forums.contribs.org/index.php/topic,51127.msg276126.html#msg276126 Holck found a reference] to an add-on for fail2ban that bans subnets with repeated offences from multiple IPs.
  
* Restarting the contrib clears existing bans but a suitable 'findtime' results in a reban. Be aware that the restart delay can be unexpectedly lengthy, I've noticed a variation of between a few seconds to one that extended to nearly 40 minutes! YMMV
+
"[https://github.com/XaF/fail2ban-subnets fail2ban-subnets] aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses."
  
* The 'out of the box' install's given filters are *already* completely capable of detecting most problems without any user templating being necessary.
+
====Prerequisites====
 +
* [[Fail2ban#Installation_sme8_and_sme9]]
 +
* Git
  
* Parameters are passed using db commands. On my SME8.1 and with only www & email expectations (no SSH) I used:
+
====Installation====
 +
<nowiki>mkdir -p ~/addons
 +
cd ~/addons
 +
git clone https://github.com/XaF/fail2ban-subnets.git
 +
# mkdir -p /etc/fail2ban/action.d.local /etc/fail2ban/filter.d.local
 +
cp ~/addons/fail2ban-subnets/action.d.local/iptables-subnet.conf /etc/fail2ban/action.d/iptables-subnet.local
 +
cp ~/addons/fail2ban-subnets/filter.d.local/subnets.conf /etc/fail2ban/filter.d/subnets.local
 +
cat ~/addons/fail2ban-subnets/jail.local >> /etc/fail2ban/jail.local
 +
service fail2ban restart
 +
</nowiki>
  
db configuration setprop qpsmtpd Fail2Ban enabled
+
====Test====
 +
<nowiki>cd ~/addons/fail2ban-subnets
 +
perl fail2ban-subnets.py
 +
</nowiki>
  
db configuration setprop httpd-e-smith Fail2Ban enabled
+
====Activate hourly updates====
 +
cp ~/addons/fail2ban-subnets/fail2ban-subnets.py /etc/cron.hourly
  
config setprop fail2ban MailRecipient root
+
====Remove====
 +
<nowiki># remove the custom action and filter
 +
'rm' /etc/fail2ban/action.d/iptables-subnet.local
 +
'rm' /etc/fail2ban/filter.d/subnets.local
 +
#
 +
# if you have other fail2ban custom jails you may need to edit /etc/fail2ban/jail.local
 +
# otherwise, you can remove the entire file using
 +
#
 +
'rm' /etc/fail2ban/jail.local
 +
#
 +
# remove the hourly cron job
 +
'rm' /etc/cron.hourly/fail2ban-subnets.py
 +
#
 +
# restart fail2ban
 +
signal-event fail2ban-conf
 +
service fail2ban restart
 +
</nowiki>
  
config setprop fail2ban FindTime 1200
 
 
config setprop fail2ban BanTime 604800
 
 
config setprop fail2ban MaxRetry 1
 
 
signal-event fail2ban-conf
 
  
* don't use MaxTry=0 (apparently it is a special Perl value)
+
==Proposed update for the checklist_ban script==
 +
[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 14:54, 7 May 2017 (CEST)
  
* required www triggers need to have appeared in /var/log/httpd/error_log
+
<nowiki>#!/bin/bash
 +
#lancer le script en sudo
 +
echo -e "Jail            failed / banned"   
  
* required email triggers need to have appeared in /var/log/*qpsmtpd/current
+
JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
 +
for j in $JAILS
 +
do
 +
jail="$j                    "
 +
failed=$(fail2ban-client status $j | grep " Currently failed:" | sed 's/[^0-9]*//')
 +
banned=$(fail2ban-client status $j | grep " Currently banned:" | sed 's/[^0-9]*//')
 +
echo -e "${jail:0:20} $failed / $banned"
 +
done
 +
</nowiki>
  
I broke the master template by making the internal multipliers ($MaxRetry/$max) equivalent to unity. <br />
 
The expanded jail.conf then showed only my own db command value for MaxRetry=1: <br />
 
see /etc/e-smith/templates/ect/fail2ban/jail.conf/*
 
  
On installation and eventual configuration I have observed automatic immediate bans <br />
+
Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.
for all 'relaying denied' email and iterations of semalt referer spam within 'findtime':-)
+
----
 +
@Piran: don't take comments personally to quickly. HFW just pointed out that to keep the wiki readable it needs some style (see: [[Help:Wiki_Manual_of_Style|Wiki Manual of Style]]). I've added the most important parts to the page, the rest i would keep as your personal notes.

Latest revision as of 03:43, 19 August 2017

Proposed addition to "user contributions" section

Mmccarn (talk) 04:43, 19 August 2017 (CEST)

Note: these procedures get the files installed and allow fail2ban and fail2ban-subnets to run without any errors, but I don't know if fail2ban is actually working after making these changes...

Ban offending subnets

Holck found a reference to an add-on for fail2ban that bans subnets with repeated offences from multiple IPs.

"fail2ban-subnets aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses."

Prerequisites

Installation

mkdir -p ~/addons
cd ~/addons
git clone https://github.com/XaF/fail2ban-subnets.git
# mkdir -p /etc/fail2ban/action.d.local /etc/fail2ban/filter.d.local
cp ~/addons/fail2ban-subnets/action.d.local/iptables-subnet.conf /etc/fail2ban/action.d/iptables-subnet.local
cp ~/addons/fail2ban-subnets/filter.d.local/subnets.conf /etc/fail2ban/filter.d/subnets.local
cat ~/addons/fail2ban-subnets/jail.local >> /etc/fail2ban/jail.local
service fail2ban restart

Test

cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py

Activate hourly updates

cp ~/addons/fail2ban-subnets/fail2ban-subnets.py /etc/cron.hourly

Remove

# remove the custom action and filter
'rm' /etc/fail2ban/action.d/iptables-subnet.local
'rm' /etc/fail2ban/filter.d/subnets.local
#
# if you have other fail2ban custom jails you may need to edit /etc/fail2ban/jail.local
# otherwise, you can remove the entire file using
#
'rm' /etc/fail2ban/jail.local
#
# remove the hourly cron job
'rm' /etc/cron.hourly/fail2ban-subnets.py
#
# restart fail2ban
signal-event fail2ban-conf
service fail2ban restart


Proposed update for the checklist_ban script

Mmccarn (talk) 14:54, 7 May 2017 (CEST)

#!/bin/bash
#lancer le script en sudo
echo -e "Jail            failed / banned"     

JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
for j in $JAILS
do
jail="$j                    "
failed=$(fail2ban-client status $j | grep " Currently failed:" | sed 's/[^0-9]*//')
banned=$(fail2ban-client status $j | grep " Currently banned:" | sed 's/[^0-9]*//')
echo -e "${jail:0:20} $failed / $banned"
done


Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.


@Piran: don't take comments personally to quickly. HFW just pointed out that to keep the wiki readable it needs some style (see: Wiki Manual of Style). I've added the most important parts to the page, the rest i would keep as your personal notes.