Alpine Linux - User contributions [en]

Fail2ban

2018-10-11T20:45:19Z

EuroDomenii: /* Different ssh port number */

== Install ==
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]])
{{cmd |apk add fail2ban}}
Enable the fail2ban service so that it starts at boot:
{{cmd |rc-update add fail2ban}}
Start the fail2ban service immediately and create configuration files:
{{cmd |/etc/init.d/fail2ban start}}
List services to verify fail2ban is enabled:
{{cmd | rc-status}}
== Configuration ==
*Configuration files are located at /etc/fail2ban
==SSH Daemon==
*The default jail "ssh" was added in 2015 ( see https://bugs.alpinelinux.org/issues/966 and [https://git.alpinelinux.org/cgit/aports/commit/?id=d0457a4cbde06be9e6fdf2203fd53b1b05225b98 commit])
===Alpine new sshd key filter===
*Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
*But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
*There are opinions against the utility of fail2ban: <s>''Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)'' </s>
**but it seems to be useful : ''I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs [https://news.ycombinator.com/item?id=8049916 via]''
*We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
<pre>
Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]
</pre>
*Their fix is mode=aggressive, but it doesn't work in alpine
<s>
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd[mode=aggressive]
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
</s>
*These above logs message corresponds to the following use cases:
**attempts to login without private key
**attempts to login with wrong private key
**attempts to login with wrong passphrase aren't logged
*https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 solution doesn't work out of the box, so the custom setup for alpine is:
{{cmd | vi /etc/fail2ban/jail.d/alpine-ssh.conf }}
<pre>
[sshd]
enabled = true
filter = alpine-sshd
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
{{cmd | vi /etc/fail2ban/filter.d/alpine-sshd-key.conf }}
<pre>
# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
</pre>
*/etc/init.d/fail2ban restart

===How to test new filters===
{{cmd | fail2ban-regex /var/log/messages alpine-sshd-key.conf}}
===Unban ip===
{{cmd | fail2ban-client set sshd unbanip BannedIP}}
or
<pre>
fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd
</pre>
===Different ssh port number===
You can change the port value to any positive integer in
via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
</pre>
===Increase bantime===
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
bantime = 24h

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
bantime = 24h

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
bantime = 24h
</pre>

Fail2ban

2018-10-11T20:16:16Z

EuroDomenii: /* Alpine new sshd key filter */

Fail2ban

2018-10-11T20:10:26Z

EuroDomenii: /* Alpine new sshd key filter */

== Install ==
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]])
{{cmd |apk add fail2ban}}
Enable the fail2ban service so that it starts at boot:
{{cmd |rc-update add fail2ban}}
Start the fail2ban service immediately and create configuration files:
{{cmd |/etc/init.d/fail2ban start}}
List services to verify fail2ban is enabled:
{{cmd | rc-status}}
== Configuration ==
*Configuration files are located at /etc/fail2ban
==SSH Daemon==
*The default jail "ssh" was added in 2015 ( see https://bugs.alpinelinux.org/issues/966 and [https://git.alpinelinux.org/cgit/aports/commit/?id=d0457a4cbde06be9e6fdf2203fd53b1b05225b98 commit])
===Alpine new sshd key filter===
*Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
*But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
*There are opinions against the utility of fail2ban: <s>''Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)'' </s>
**but it seems to be useful : ''I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs [https://news.ycombinator.com/item?id=8049916 via]''
*We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
<pre>
Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]
</pre>
*Their fix is mode=aggressive, but it doesn't work in alpine
<s>
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd[mode=aggressive]
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
</s>
*These above logs message corresponds to the following use cases:
**attempts to login without private key
**attempts to login with wrong private key
**attempts to login with wrong passphrase aren't logged
*https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 solution doesn't work out of the box, so the custom setup for alpine is:
{{cmd | vi /etc/fail2ban/jail.d/alpine-ssh.conf }}
<pre>
[sshd]
enabled = true
filter = alpine-sshd
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
{{cmd | vi /etc/fail2ban/filter.d/alpine-sshd-key.conf }}
<pre>
# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
</pre>

===How to test new filters===
{{cmd | fail2ban-regex /var/log/messages alpine-sshd-key.conf}}
===Unban ip===
{{cmd | fail2ban-client set sshd unbanip BannedIP}}
or
<pre>
fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd
</pre>
===Different ssh port number===
You can change the port value to any positive integer in
via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
</pre>

Fail2ban

2018-10-10T03:27:10Z

EuroDomenii: Alpine new sshd key filter

== Install ==
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]])
{{cmd |apk add fail2ban}}
Enable the fail2ban service so that it starts at boot:
{{cmd |rc-update add fail2ban}}
Start the fail2ban service immediately and create configuration files:
{{cmd |/etc/init.d/fail2ban start}}
List services to verify fail2ban is enabled:
{{cmd | rc-status}}
== Configuration ==
*Configuration files are located at /etc/fail2ban
==SSH Daemon==
*The default jail "ssh" was added in 2015 ( see https://bugs.alpinelinux.org/issues/966 and [https://git.alpinelinux.org/cgit/aports/commit/?id=d0457a4cbde06be9e6fdf2203fd53b1b05225b98 commit])
===Alpine new sshd key filter===
*Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
*But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
*There are opinions against the utility of fail2ban: <s>''Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)'' </s>
**but it seems to be useful : ''I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs [https://news.ycombinator.com/item?id=8049916 via]''
*We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
<pre>
Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]
</pre>
*Their fix is mode=aggressive, but it doesn't work in alpine
<s>
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd[mode=aggressive]
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
</s>
*These above logs message corresponds to the following use cases:
**attempts to login without private key
**attempts to login with wrong private key
**attempts to login with wrong passphrase aren't logged
*https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 solution doesn't work out of the box, so the custom setup for alpine is:
{{cmd | cat /etc/fail2ban/jail.d/alpine-ssh.conf }}
<pre>
[sshd]
enabled = true
filter = alpine-sshd
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = ssh
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = ssh
logpath = /var/log/messages
maxretry = 2
</pre>
{{cmd | cat /etc/fail2ban/filter.d/alpine-sshd-key.conf }}
<pre>
# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
</pre>

===How to test new filters===
{{cmd | fail2ban-regex /var/log/messages alpine-sshd-key.conf}}
===Unban ip===
{{cmd | fail2ban-client set sshd unbanip BannedIP}}
or
<pre>
fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd
</pre>
===Different ssh port number===
You can change the port value to any positive integer in
via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number
<pre>
cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2

[sshd-key]
enabled = true
filter = alpine-sshd-key
port = YourSSHPortNumber
logpath = /var/log/messages
maxretry = 2
</pre>

Fail2ban

2018-10-09T23:44:36Z

EuroDomenii:

== Install ==
*{{cmd |apk add fail2ban}}
** This will install iptables package also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]]

Fail2ban

2018-10-09T23:39:04Z

EuroDomenii: Created page with "== Install == *apk add fail2ban ** This will install iptables package also Configure_Networking#Firewalling_with_iptables_and_ip6tables"

== Install ==
*apk add fail2ban
** This will install iptables package also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]]