Fail2ban: Difference between revisions
EuroDomenii (talk | contribs) No edit summary |
(replace /etc/init.d with rc-service) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{TOC right}} | |||
== Install == | == Install == | ||
This will install fail2ban package. It includes iptables package (see also [[Configure_Networking#Firewalling_with_iptables_and_ip6tables]]) | |||
** | {{cmd |apk add fail2ban}} | ||
Enable the fail2ban service so that it starts at boot: | |||
{{cmd |rc-update add fail2ban}} | |||
Start the fail2ban service immediately and create configuration files: | |||
{{cmd |rc-service fail2ban start}} | |||
List services to verify fail2ban is enabled: | |||
{{cmd | rc-status}} | |||
== Configuration == | |||
*Configuration files are located at /etc/fail2ban | |||
==SSH Daemon== | |||
*The default jail "ssh" was added in 2015 ( see https://bugs.alpinelinux.org/issues/966 and [https://git.alpinelinux.org/cgit/aports/commit/?id=d0457a4cbde06be9e6fdf2203fd53b1b05225b98 commit]) | |||
===Alpine new sshd key filter=== | |||
*Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf | |||
*But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work | |||
*There are opinions against the utility of fail2ban: <s>''Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)'' </s> | |||
**but it seems to be useful : ''I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs [https://news.ycombinator.com/item?id=8049916 via]'' | |||
*We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version | |||
<pre> | |||
Connection reset by 153.99.182.39 port 48966 [preauth] | |||
Received disconnect from 153.99.182.39 port 21183:11: [preauth] | |||
Disconnected from 153.99.182.39 port 21183 [preauth] | |||
</pre> | |||
*Their fix is mode=aggressive, but it doesn't work in alpine | |||
<s> | |||
<pre> | |||
cat /etc/fail2ban/jail.d/alpine-ssh.conf | |||
[sshd] | |||
enabled = true | |||
filter = alpine-sshd[mode=aggressive] | |||
port = ssh | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
</pre> | |||
</s> | |||
*These above logs message corresponds to the following use cases: | |||
**attempts to login without private key | |||
**attempts to login with wrong private key | |||
**attempts to login with wrong passphrase aren't logged | |||
*https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 solution doesn't work out of the box, so the custom setup for alpine is: | |||
{{cmd | vi /etc/fail2ban/jail.d/alpine-ssh.conf }} | |||
<pre> | |||
[sshd] | |||
enabled = true | |||
filter = alpine-sshd | |||
port = ssh | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
[sshd-ddos] | |||
enabled = true | |||
filter = alpine-sshd-ddos | |||
port = ssh | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
[sshd-key] | |||
enabled = true | |||
filter = alpine-sshd-key | |||
port = ssh | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
</pre> | |||
{{cmd | vi /etc/fail2ban/filter.d/alpine-sshd-key.conf }} | |||
<pre> | |||
# Fail2Ban filter for openssh for Alpine | |||
# | |||
# Filtering login attempts with PasswordAuthentication No in sshd_config. | |||
# | |||
[INCLUDES] | |||
# Read common prefixes. If any customizations available -- read them from | |||
# common.local | |||
before = common.conf | |||
[Definition] | |||
_daemon = sshd | |||
failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\] | |||
ignoreregex = | |||
[Init] | |||
# "maxlines" is number of log lines to buffer for multi-line regex searches | |||
maxlines = 10 | |||
</pre> | |||
*rc-service fail2ban restart | |||
===How to test new filters=== | |||
{{cmd | fail2ban-regex /var/log/messages alpine-sshd-key.conf}} | |||
===Unban ip=== | |||
{{cmd | fail2ban-client set sshd unbanip BannedIP}} | |||
or | |||
<pre> | |||
fail2ban-client -i | |||
Fail2Ban v0.10.1 reads log file that contains password failure report | |||
and bans the corresponding IP addresses using firewall rules. | |||
fail2ban> status sshd | |||
</pre> | |||
===Different ssh port number=== | |||
You can change the port value to any positive integer in | |||
via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number | |||
<pre> | |||
cat /etc/fail2ban/jail.d/alpine-ssh.conf | |||
[sshd] | |||
enabled = true | |||
filter = alpine-sshd | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
[sshd-ddos] | |||
enabled = true | |||
filter = alpine-sshd-ddos | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
[sshd-key] | |||
enabled = true | |||
filter = alpine-sshd-key | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
</pre> | |||
===Increase bantime=== | |||
<pre> | |||
cat /etc/fail2ban/jail.d/alpine-ssh.conf | |||
[sshd] | |||
enabled = true | |||
filter = alpine-sshd | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
bantime = 24h | |||
[sshd-ddos] | |||
enabled = true | |||
filter = alpine-sshd-ddos | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
bantime = 24h | |||
[sshd-key] | |||
enabled = true | |||
filter = alpine-sshd-key | |||
port = YourSSHPortNumber | |||
logpath = /var/log/messages | |||
maxretry = 2 | |||
bantime = 24h | |||
</pre> | |||
[[category:Security]] |
Latest revision as of 09:51, 17 November 2023
Install
This will install fail2ban package. It includes iptables package (see also Configure_Networking#Firewalling_with_iptables_and_ip6tables)
apk add fail2ban
Enable the fail2ban service so that it starts at boot:
rc-update add fail2ban
Start the fail2ban service immediately and create configuration files:
rc-service fail2ban start
List services to verify fail2ban is enabled:
rc-status
Configuration
- Configuration files are located at /etc/fail2ban
SSH Daemon
- The default jail "ssh" was added in 2015 ( see https://bugs.alpinelinux.org/issues/966 and commit)
Alpine new sshd key filter
- Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
- But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
- There are opinions against the utility of fail2ban:
Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)- but it seems to be useful : I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs via
- We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
Connection reset by 153.99.182.39 port 48966 [preauth] Received disconnect from 153.99.182.39 port 21183:11: [preauth] Disconnected from 153.99.182.39 port 21183 [preauth]
- Their fix is mode=aggressive, but it doesn't work in alpine
cat /etc/fail2ban/jail.d/alpine-ssh.conf [sshd] enabled = true filter = alpine-sshd[mode=aggressive] port = ssh logpath = /var/log/messages maxretry = 2
- These above logs message corresponds to the following use cases:
- attempts to login without private key
- attempts to login with wrong private key
- attempts to login with wrong passphrase aren't logged
- https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436 solution doesn't work out of the box, so the custom setup for alpine is:
vi /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd] enabled = true filter = alpine-sshd port = ssh logpath = /var/log/messages maxretry = 2 [sshd-ddos] enabled = true filter = alpine-sshd-ddos port = ssh logpath = /var/log/messages maxretry = 2 [sshd-key] enabled = true filter = alpine-sshd-key port = ssh logpath = /var/log/messages maxretry = 2
vi /etc/fail2ban/filter.d/alpine-sshd-key.conf
# Fail2Ban filter for openssh for Alpine # # Filtering login attempts with PasswordAuthentication No in sshd_config. # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\] ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10
- rc-service fail2ban restart
How to test new filters
fail2ban-regex /var/log/messages alpine-sshd-key.conf
Unban ip
fail2ban-client set sshd unbanip BannedIP
or
fail2ban-client -i Fail2Ban v0.10.1 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. fail2ban> status sshd
Different ssh port number
You can change the port value to any positive integer in via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number
cat /etc/fail2ban/jail.d/alpine-ssh.conf [sshd] enabled = true filter = alpine-sshd port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2 [sshd-ddos] enabled = true filter = alpine-sshd-ddos port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2 [sshd-key] enabled = true filter = alpine-sshd-key port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2
Increase bantime
cat /etc/fail2ban/jail.d/alpine-ssh.conf [sshd] enabled = true filter = alpine-sshd port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2 bantime = 24h [sshd-ddos] enabled = true filter = alpine-sshd-ddos port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2 bantime = 24h [sshd-key] enabled = true filter = alpine-sshd-key port = YourSSHPortNumber logpath = /var/log/messages maxretry = 2 bantime = 24h