Fail2ban

From Alpine Linux
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Install

This will install fail2ban package. It includes iptables package (see also Configure_Networking#Firewalling_with_iptables_and_ip6tables)

apk add fail2ban

Enable the fail2ban service so that it starts at boot:

rc-update add fail2ban

Start the fail2ban service immediately and create configuration files:

/etc/init.d/fail2ban start

List services to verify fail2ban is enabled:

rc-status

Configuration

  • Configuration files are located at /etc/fail2ban

SSH Daemon

Alpine new sshd key filter

  • Out of the box, alpine comes with /etc/fail2ban/filter.d/alpine-sshd.conf, that protects from password failures and additional ddos protection /etc/fail2ban/filter.d/alpine-sshd-ddos.conf
  • But, if you turn off PasswordAuthentication in /etc/ssh/sshd_config, the above filters won't work
  • There are opinions against the utility of fail2ban: Fail2ban is fundamentally a wrong answer to the problem. If you're taking the time to install such things, you should instead either be turning off password authentication (relying only on keys)
    • but it seems to be useful : I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs via
  • We can find the following type of logs, reported at https://github.com/fail2ban/fail2ban/issues/1719 and addressed in 0.10 version
Connection reset by 153.99.182.39 port 48966 [preauth]
Received disconnect from 153.99.182.39 port 21183:11: [preauth]
Disconnected from 153.99.182.39 port 21183 [preauth]
  • Their fix is mode=aggressive, but it doesn't work in alpine

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd[mode=aggressive]
port     = ssh
logpath  = /var/log/messages
maxretry = 2

vi /etc/fail2ban/jail.d/alpine-ssh.conf

[sshd]
enabled  = true
filter   = alpine-sshd
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = ssh
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = ssh
logpath  = /var/log/messages
maxretry = 2

vi /etc/fail2ban/filter.d/alpine-sshd-key.conf

# Fail2Ban filter for openssh for Alpine
#
# Filtering login attempts with PasswordAuthentication No in sshd_config.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = (Connection closed by|Disconnected from) authenticating user .* <HOST> port \d* \[preauth\]

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
  • /etc/init.d/fail2ban restart

How to test new filters

fail2ban-regex /var/log/messages alpine-sshd-key.conf

Unban ip

fail2ban-client set sshd unbanip BannedIP

or

fail2ban-client -i
Fail2Ban v0.10.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status sshd

Different ssh port number

You can change the port value to any positive integer in via https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number

cat /etc/fail2ban/jail.d/alpine-ssh.conf
[sshd]
enabled  = true
filter   = alpine-sshd
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-ddos]
enabled  = true
filter   = alpine-sshd-ddos
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2

[sshd-key]
enabled  = true
filter   = alpine-sshd-key
port     = YourSSHPortNumber
logpath  = /var/log/messages
maxretry = 2