688
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − {{Note box|Please do not edit the main how-to directly if you want to provide feedback or experiences. The blog style (first person) writing is not consistent with the 'documentation' style of the main how-to. The owner of the page or someone from the doc team can format your information if it's invalided.}} + + − '''With many thanks to the author for his work''' templating the install of Fail2Ban into SME8/9 here are some notes for introduction: + − * F2B adds to SMEserver's own high security after SME has already reported forbidden access, file not found or a relaying denied error. F2B filters read appropriate logs and associated jails implement timed bans (by dropping all packets arriving from the culprit IP). Another F2B action sends a notifying email. + + − * Restarting the contrib clears existing bans but a suitable 'findtime' results in a reban. Be aware that the restart delay can be unexpectedly lengthy, I've noticed a variation of between a few seconds to one that extended to nearly 40 minutes! YMMV+ − + + + − * Parameters are passed using db commands. On my SME8.1 and with only www & email expectations (no SSH) I used:+ + + + + + + + + + − db configuration setprop qpsmtpd Fail2Ban enabled+ + + + − db configuration setprop httpd-e-smith Fail2Ban enabled+ + − config setprop fail2ban MailRecipient root+ + + + + + + + + + + + + + + + + − config setprop fail2ban FindTime 1200 − − config setprop fail2ban BanTime 604800 − − config setprop fail2ban MaxRetry 1 − − signal-event fail2ban-conf − * don't use MaxTry=0 (apparently it is a special Perl value)+ + − * required www triggers need to have appeared in /var/log/httpd/error_log+ + + − + + + + + + + + + − I broke the master template by making the internal multipliers ($MaxRetry/$max) equivalent to unity. <br /> − The expanded jail.conf then showed only my own db command value for MaxRetry=1: <br /> − see /etc/e-smith/templates/ect/fail2ban/jail.conf/* − On installation and eventual configuration I have observed automatic immediate bans <br />+ − for all 'relaying denied' email and iterations of semalt referer spam within 'findtime':-)+ +
install fail2ban-subnets
==Proposed addition to "user contributions" section==
[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 04:43, 19 August 2017 (CEST)
Note: these procedures get the files installed and allow fail2ban and fail2ban-subnets to run without any errors, but I don't know if fail2ban is actually working after making these changes...
===Ban offending subnets===
[https://forums.contribs.org/index.php/topic,51127.msg276126.html#msg276126 Holck found a reference] to an add-on for fail2ban that bans subnets with repeated offences from multiple IPs.
"[https://github.com/XaF/fail2ban-subnets fail2ban-subnets] aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses."
* The 'out of the box' install's given filters are *already* completely capable of detecting most problems without any user templating being necessary.
====Prerequisites====
* [[Fail2ban#Installation_sme8_and_sme9]]
* Git
====Installation====
<nowiki>mkdir -p ~/addons
cd ~/addons
git clone https://github.com/XaF/fail2ban-subnets.git
# mkdir -p /etc/fail2ban/action.d.local /etc/fail2ban/filter.d.local
cp ~/addons/fail2ban-subnets/action.d.local/iptables-subnet.conf /etc/fail2ban/action.d/iptables-subnet.local
cp ~/addons/fail2ban-subnets/filter.d.local/subnets.conf /etc/fail2ban/filter.d/subnets.local
cat ~/addons/fail2ban-subnets/jail.local >> /etc/fail2ban/jail.local
service fail2ban restart
</nowiki>
====Test====
<nowiki>cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py
</nowiki>
====Activate hourly updates====
cp ~/addons/fail2ban-subnets/fail2ban-subnets.py /etc/cron.hourly
====Remove====
<nowiki># remove the custom action and filter
'rm' /etc/fail2ban/action.d/iptables-subnet.local
'rm' /etc/fail2ban/filter.d/subnets.local
#
# if you have other fail2ban custom jails you may need to edit /etc/fail2ban/jail.local
# otherwise, you can remove the entire file using
#
'rm' /etc/fail2ban/jail.local
#
# remove the hourly cron job
'rm' /etc/cron.hourly/fail2ban-subnets.py
#
# restart fail2ban
signal-event fail2ban-conf
service fail2ban restart
</nowiki>
==Proposed update for the checklist_ban script==
[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 14:54, 7 May 2017 (CEST)
<nowiki>#!/bin/bash
#lancer le script en sudo
echo -e "Jail failed / banned"
* required email triggers need to have appeared in /var/log/*qpsmtpd/current
JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
for j in $JAILS
do
jail="$j "
failed=$(fail2ban-client status $j | grep " Currently failed:" | sed 's/[^0-9]*//')
banned=$(fail2ban-client status $j | grep " Currently banned:" | sed 's/[^0-9]*//')
echo -e "${jail:0:20} $failed / $banned"
done
</nowiki>
Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.
----
@Piran: don't take comments personally to quickly. HFW just pointed out that to keep the wiki readable it needs some style (see: [[Help:Wiki_Manual_of_Style|Wiki Manual of Style]]). I've added the most important parts to the page, the rest i would keep as your personal notes.