Articles I've written for customers on IT issues.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

178 lines
8.0 KiB

5 years ago
5 years ago
5 years ago
  1. \documentclass[11pt]{article}
  2. %Gummi|065|=)
  3. \title{\textbf{Fail2ban Primer}}
  4. \author{Steak Electronics}
  5. \date{05/12/19}
  6. \begin{document}
  7. \maketitle
  8. \section{Overview}
  9. Fail2Ban is a program, a spiritual successor to denyhosts\footnote{denyhosts was used for ssh, but eventually was abandoned. It was quite a bit simpler to configure than fail2ban, and this was its strength, but it is also more limited, and now has vulnerabilities.}, which is used to block ip addresses that try to break into your internet server.
  10. Here are some of the traps, and configurations I've needed to setup fail2ban correctly. It's not a complex program, but unless you sit down and understand it, you might get caught.
  11. \section{Instructions for Setup}
  12. Quick setup for Devuan / Debian 9:
  13. First install fail2ban using apt-get. (apt-get install fail2ban).
  14. Fail2ban is a service that will appear in /etc/init.d/ in Devuan.
  15. So it can be managed with service fail2ban \{start,stop,restart\}.
  16. Second, navigate to /etc/fail2ban/jail.d/
  17. Add the following to a sshd.conf file (or name it anything you like)
  18. \begin{verbatim}
  19. # this is used in devuan. no other changes are made to other files, except
  20. # that the default ssh filter is disabled in jail.conf if it enabled
  21. [sshd]
  22. ignoreip = 127.0.0.1/8
  23. #banaction = iptables
  24. action = iptables-multiport[port="ssh,http,https,22222",blocktype=DROP]
  25. maxretry = 6
  26. enabled = true
  27. filter = sshd
  28. logpath = /var/log/auth.log
  29. bantime = 360000
  30. findtime = 3600
  31. # note that here, the action and its ports are set on INPUT
  32. # so its a rule to block INPUT on ssh, http, https, and 22222
  33. # make sure ports are right.
  34. # you could also use the single iptables too, just need to specify the right port.
  35. #the blocktype=DROP here, goes to actions.d/iptables-multiport.conf, and changes blocktype to drop.
  36. \end{verbatim}
  37. Now, a few notes on this file.
  38. \vspace{0.2in}
  39. First, action can be iptables, but we are using iptables-multiport, as we want to block multiple ports.
  40. \vspace{0.2in}
  41. Second, logpath, should point to your ssh log. In devuan ascii / debian stretch (9) it should be /var/log/auth.log. Other distributions may vary.
  42. \vspace{0.2in}
  43. Third, be careful of different ssh ports. I routinely change ssh ports to be a non standard port, which although it's somewhat pointless, it still seems to block random ssh port scans for port 22. If you use a different port, you must specify it in iptables-multiport above. A potential trap is to use a nonstandard port, then wonder why fail2ban blocks port 22, but your ssh is on port 123 or something.
  44. \vspace{0.2in}
  45. Fourth, the default action in iptables-multiport is to REJECT packets. However, I have changed it to DROP (blocktype=DROP). For those not familiar with the difference between REJECT and DROP, from my understanding, it boils down to that REJECT will alert the outside host that the post is unreachable, while drop simply drops the connection, leaving the other host to figure it out on their own.
  46. As I consider the offending ip addresses to be attackers, I have set it to DROP. If they try to break into the server, then block all ports from them, and don't tell them anything. The DROP timeout is more work on their end. With REJECT, my server actually responds to them.
  47. On fail2ban issues git tracker, there is some discussion about this, and it is not really definitive. It ends up being that, REJECT is default, and if you want you can change it to DROP. As I have.
  48. \vspace{0.2in}
  49. Fifth, review jail.conf, and fail2ban.conf. Usually nothing needs to be changed, but occasionally jail.conf will enable the default sshd jail (which you can disable, and use instead the new one).
  50. \subsection{Configuration in Gentoo}
  51. This guide will only cover those working with syslog-ng in Gentoo. You can add a config to syslog-ng to get auth.log to appear in Gentoo.
  52. \footnote{Reference: https://wiki.gentoo.org/wiki/Security\_Handbook/Logging\#Syslog-ng} Notice in the below config, that a destination has been defined for authlog. You need not copy all the syslog-ng below, only what you need.
  53. \begin{verbatim}
  54. /etc/syslog-ng/syslog-ng.confSyslog-ng
  55. @version: 3.17 #mandatory since Version 3, specify the version number of the used syslog-ng
  56. options {
  57. chain_hostnames(no);
  58. # The default action of syslog-ng is to log a STATS line
  59. # to the file every 10 minutes. That's pretty ugly after a while.
  60. # Change it to every 12 hours so you get a nice daily update of
  61. # how many messages syslog-ng missed (0).
  62. stats_freq(43200);
  63. };
  64. source src {
  65. unix-stream("/dev/log" max-connections(256));
  66. internal();
  67. };
  68. source kernsrc { file("/proc/kmsg"); };
  69. # define destinations
  70. destination authlog { file("/var/log/auth.log"); };
  71. destination syslog { file("/var/log/syslog"); };
  72. destination cron { file("/var/log/cron.log"); };
  73. destination daemon { file("/var/log/daemon.log"); };
  74. destination kern { file("/var/log/kern.log"); };
  75. destination lpr { file("/var/log/lpr.log"); };
  76. destination user { file("/var/log/user.log"); };
  77. destination mail { file("/var/log/mail.log"); };
  78. destination mailinfo { file("/var/log/mail.info"); };
  79. destination mailwarn { file("/var/log/mail.warn"); };
  80. destination mailerr { file("/var/log/mail.err"); };
  81. destination newscrit { file("/var/log/news/news.crit"); };
  82. destination newserr { file("/var/log/news/news.err"); };
  83. destination newsnotice { file("/var/log/news/news.notice"); };
  84. destination debug { file("/var/log/debug"); };
  85. destination messages { file("/var/log/messages"); };
  86. destination console { usertty("root"); };
  87. # By default messages are logged to tty12...
  88. destination console_all { file("/dev/tty12"); };
  89. # ...if you intend to use /dev/console for programs like xconsole
  90. # you can comment out the destination line above that references /dev/tty12
  91. # and uncomment the line below.
  92. #destination console_all { file("/dev/console"); };
  93. # create filters
  94. filter f_authpriv { facility(auth, authpriv); };
  95. filter f_syslog { not facility(authpriv, mail); };
  96. filter f_cron { facility(cron); };
  97. filter f_daemon { facility(daemon); };
  98. filter f_kern { facility(kern); };
  99. filter f_lpr { facility(lpr); };
  100. filter f_mail { facility(mail); };
  101. filter f_user { facility(user); };
  102. filter f_debug { not facility(auth, authpriv, news, mail); };
  103. filter f_messages { level(info..warn)
  104. and not facility(auth, authpriv, mail, news); };
  105. filter f_emergency { level(emerg); };
  106. filter f_info { level(info); };
  107. filter f_notice { level(notice); };
  108. filter f_warn { level(warn); };
  109. filter f_crit { level(crit); };
  110. filter f_err { level(err); };
  111. filter f_failed { message("failed"); };
  112. filter f_denied { message("denied"); };
  113. # connect filter and destination
  114. log { source(src); filter(f_authpriv); destination(authlog); };
  115. log { source(src); filter(f_syslog); destination(syslog); };
  116. log { source(src); filter(f_cron); destination(cron); };
  117. log { source(src); filter(f_daemon); destination(daemon); };
  118. log { source(kernsrc); filter(f_kern); destination(kern); };
  119. log { source(src); filter(f_lpr); destination(lpr); };
  120. log { source(src); filter(f_mail); destination(mail); };
  121. log { source(src); filter(f_user); destination(user); };
  122. log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
  123. log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
  124. log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
  125. log { source(src); filter(f_debug); destination(debug); };
  126. log { source(src); filter(f_messages); destination(messages); };
  127. log { source(src); filter(f_emergency); destination(console); };
  128. # default log
  129. log { source(src); destination(console_all); };
  130. \end{verbatim}
  131. \section{Future Advancements}
  132. What is next for fail2ban after the above? You will want to watch apache logs, and ban any hosts from your IP that search for things they should not be looking for (wordpress logins, phpmyadmin, etc). You can simply add them to a 6-12 month blacklist, if they search for anything they shouldn't be searching for.
  133. \section{Further Reading}
  134. https://www.jwz.org/blog/2019/03/apache-2-4-1-killed-fail2ban-so-thats-awesome/
  135. \end{document}