Fail2ban: diferència entre les revisions

De WikiMar
Salta a la navegació Salta a la cerca
 
(Hi ha 14 revisions intermèdies del mateix usuari que no es mostren)
Línia 1: Línia 1:
==Commands==
To see the list of jails active:
sudo fail2ban-client status
To see the status of a jail and if it banned any IP:
sudo fail2ban-client status sshd
See the last failed logins:
sudo lastb -a
==Install common==
After installing fail2ban configure:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc.  Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change:
logpath  = /var/log/secure
instead of
logpath  = /var/log/auth.log
Also add the ,23 besides the ssh port for the ssh. See section below.
If you have reverse tunnels to other server also add:
ignoreip =
So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1)
Increase ban time:
bantime  = 86400
findtime  = 86400
maxretry = 4
Restart the service,
systemctl start fail2ban
if it does not restart see the reason:
fail2ban-client -v -v start
==Install Fail2ban on Ubuntu==
apt-get install fail2ban
sudo service fail2ban restart
sudo update-rc.d fail2ban enable
==Install Fail2ban on CentOS/Fedora==
==Install Fail2ban on CentOS/Fedora==
Instead of installing with yum install fail2ban, use:
Instead of installing with yum install fail2ban, use:
  yum install fail2ban-server
  yum install fail2ban-server fail2ban-systemd
  systemctl enable fail2ban
  systemctl enable fail2ban
  systemctl restart fail2ban
  systemctl restart fail2ban
The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.


Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html
Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html


===Almalinux===
yum install epel-release
yum install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban


==Enable mail==
==Enable mail==
Línia 17: Línia 74:
But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex:
But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex:


^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
<pre>
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
            ^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
            ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
</pre>
 
 
Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local


[sshd]
port    = ssh,23


https://github.com/fail2ban/fail2ban/issues/1284
https://github.com/fail2ban/fail2ban/issues/1284
===Alternative===
edit the file
/etc/services
so that ssh is in the right port
==Default config==
The default 10 min ban is not enough.
Edit /etc/fail2ban/jail.conf
bantime  = 86400
findtime  = 86400
86400 is one day

Revisió de 12:46, 6 març 2022

Commands

To see the list of jails active: 

sudo fail2ban-client status

To see the status of a jail and if it banned any IP: 

sudo fail2ban-client status sshd


See the last failed logins: 

sudo lastb -a

Install common

After installing fail2ban configure: 

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change: 

logpath  = /var/log/secure

instead of 

logpath  = /var/log/auth.log

Also add the ,23 besides the ssh port for the ssh. See section below.

If you have reverse tunnels to other server also add: 

ignoreip =

So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1)


Increase ban time: 

bantime  = 86400
findtime  = 86400
maxretry = 4


Restart the service, 

systemctl start fail2ban

if it does not restart see the reason: 

fail2ban-client -v -v start

Install Fail2ban on Ubuntu

apt-get install fail2ban
sudo service fail2ban restart
sudo update-rc.d fail2ban enable


Install Fail2ban on CentOS/Fedora

Instead of installing with yum install fail2ban, use: 

yum install fail2ban-server fail2ban-systemd
systemctl enable fail2ban
systemctl restart fail2ban

The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.


Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html


Almalinux

yum install epel-release
yum install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban

Enable mail

 yum install fail2ban-sendmail

Fail2ban when ssh in telnet port

This are no failures in sense of authentication (because login does not take place).

But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex: 

            ^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
            ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$


Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local 

[sshd]
port    = ssh,23

https://github.com/fail2ban/fail2ban/issues/1284

Alternative

edit the file 

/etc/services

so that ssh is in the right port


Default config

The default 10 min ban is not enough.

Edit /etc/fail2ban/jail.conf 

bantime  = 86400
findtime  = 86400

86400 is one day

Obtingut de «https://wiki.espai.de/index.php?title=Fail2ban&oldid=1886»