Fail2ban: Difference between revisions

From Alpine Linux
(replace /etc/init.d with rc-service)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
{{TOC right}}
== Install ==  
== Install ==  
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]])
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]])
Line 5: Line 7:
{{cmd |rc-update add fail2ban}}
{{cmd |rc-update add fail2ban}}
Start the fail2ban service immediately and create configuration files:
Start the fail2ban service immediately and create configuration files:
{{cmd |/etc/init.d/fail2ban start}}
{{cmd |rc-service fail2ban start}}
List services to verify fail2ban is enabled:
List services to verify fail2ban is enabled:
{{cmd | rc-status}}
{{cmd | rc-status}}
Line 89: Line 91:
maxlines = 10
maxlines = 10
</pre>
</pre>
*/etc/init.d/fail2ban restart
*rc-service fail2ban restart


===How to test new filters===
===How to test new filters===
Line 156: Line 158:
bantime  = 24h
bantime  = 24h
</pre>
</pre>
[[category:Security]]

Latest revision as of 09:51, 17 November 2023

Install

This will install fail2ban package. It includes iptables package (see also Configure_Networking#Firewalling_with_iptables_and_ip6tables)

apk add fail2ban

Enable the fail2ban service so that it starts at boot:

rc-update add fail2ban

Start the fail2ban service immediately and create configuration files:

rc-service fail2ban start

List services to verify fail2ban is enabled:

rc-status

Configuration

  • Configuration files are located at /etc/fail2ban

SSH Daemon

Alpine new sshd key filter

  • Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
  • But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
  • There are opinions against the utility of fail2ban: Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)
    • but it seems to be useful : I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs via
  • We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]
  • Their fix is mode=aggressive, but it doesn't work in alpine

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd[mode=aggressive]
port     = ssh
logpath  = /var/log/messages
maxretry = 2

vi /etc/fail2ban/jail.d/alpine-ssh.conf

[sshd]
enabled  = true
filter   = alpine-sshd
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = ssh
logpath  = /var/log/messages
maxretry = 2

vi /etc/fail2ban/filter.d/alpine-sshd-key.conf

# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
  • rc-service fail2ban restart

How to test new filters

fail2ban-regex /var/log/messages alpine-sshd-key.conf

Unban ip

fail2ban-client set sshd unbanip BannedIP

or

fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd

Different ssh port number

You can change the port value to any positive integer in via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

Increase bantime

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2
bantime  = 24h