asif/fail2banUFW
1
0
Fork 0
Code Issues Pull Requests Releases 3 Wiki Activity

Proofread

Browse Source
This commit is contained in:
Asif Bacchus 2018-09-29 20:25:40 -06:00
parent 2493e9a174
commit dfaaffed37
1 changed files with 22 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@ -5,7 +5,7 @@
This is a basic set up for Fail2Ban on an system that is directly exposed to the This is a basic set up for Fail2Ban on an system that is directly exposed to the
internet (i.e. not behind a separate firewall). internet (i.e. not behind a separate firewall).
**This set-up assumes you are using UFW as your firewall front-end and it's **This set-up assumes you are using UFW as your firewall front-end and it is
working correctly.** working correctly.**
In addition to the standard SSHd jail, a separate jail that monitors UFW BLOCK In addition to the standard SSHd jail, a separate jail that monitors UFW BLOCK
@ -54,7 +54,7 @@ newer version from the source at github.
``` ```
- Let's go ahead and start the service to make sure it doesn't run into any - Let's go ahead and start the service to make sure it doesn't run into any
problems. You shouldn't see any errors reported and should have a pleasant problems. You should not see any errors reported and should have a pleasant
'green dot' showing up. 'green dot' showing up.
```Bash ```Bash
@ -79,13 +79,12 @@ updates.
### /etc/fail2ban/fail2ban.conf ### /etc/fail2ban/fail2ban.conf
I recommend reviewing your the following settings at a minimum for any I recommend reviewing the following settings at a minimum for any deployment:
deployment:
#### loglevel #### loglevel
This sets the verbosity of the log output from F2B. The default setting of INFO This sets the verbosity of the log output from F2B. The default setting of INFO
is appropriate for most installs but, you should specify it anyways so you have is appropriate for most installs but, you should specify it anyways so you have
any easy place to change it if you need to do so. an easy place to change it if you need to do so.
```Ini ```Ini
loglevel = INFO loglevel = INFO
@ -113,7 +112,7 @@ dbpurgeage = 604800
### /etc/fail2ban/jail.local ### /etc/fail2ban/jail.local
This file overrides the defaults applied to all jail configurations used by F2B. This file customizes the defaults applied to all jail configurations used by F2B.
This sets things like the default amount of time a system is banned, what This sets things like the default amount of time a system is banned, what
actions should be used for banning systems and whether or not you get email actions should be used for banning systems and whether or not you get email
notifications, etc. notifications, etc.
@ -122,9 +121,10 @@ notifications, etc.
This setting tells F2B which IP addresses/ranges/hostnames should **never** be This setting tells F2B which IP addresses/ranges/hostnames should **never** be
banned. In general, this should be the localhost only. However, if you connect banned. In general, this should be the localhost only. However, if you connect
by remote using a particular machine, you might want to exempt it from any by remote using a particular machine, you might also want to exempt it from any
possible bans also. You can specify more than one entry by separating them with possible bans. You can specify more than one entry by separating them with a
a space or comma. In this case, I've added the IP4 and IP6 defintions for localhost. space or comma. In this case, I've added the IP4 and IP6 defintions for
localhost.
```Ini ```Ini
ignoreip = 127.0.0.1/8 ::1 ignoreip = 127.0.0.1/8 ::1
@ -173,12 +173,12 @@ sender = thismachine@domain.tld
mta = sendmail mta = sendmail
``` ```
The '*mta*' field is very likely correct for your system, but if you are using a The '*mta*' field is very likely correct for your system but, if you are using a
different MTA, you'll want to specify that here. different MTA, you'll want to specify that here.
##### Shortcuts ##### Shortcuts
This is where you tell F2B what exactly to do when it finds a reason to ban a This is where you tell F2B exactly what to do when it finds a reason to ban a
system based on the jail configuration. Again, individual jails can override system based on the jail configuration. Again, individual jails can override
these settings. The settings are defined backwards in this file, so I'll take a these settings. The settings are defined backwards in this file, so I'll take a
second to explain. second to explain.
@ -193,7 +193,9 @@ banned.
Within '*action*' is '*banaction*' which is a link over to a specific Within '*action*' is '*banaction*' which is a link over to a specific
configuration file telling F2B what to do on the system to enforce the ban. In configuration file telling F2B what to do on the system to enforce the ban. In
this setup, we direct F2B to look at the ufw.conf file to see how to modify this setup, we direct F2B to look at the ufw.conf file to see how to modify
UFW's rules so it drops packets from the offending system. Details on that file are found later in this document. UFW's rules so it drops packets from the offending system. [Details on that
file are found later in this
document](#The-action-file-(/etc/fail2ban/action.d/ufw.conf)).
The general setup as described above is as follows: The general setup as described above is as follows:
@ -210,9 +212,9 @@ preference since it allows for each jail to be contained in it's own
configuration file which makes debugging and maintaining them much easier. configuration file which makes debugging and maintaining them much easier.
### sshd (/etc/fail2ban/jail.d/ssh.conf) ### sshd (/etc/fail2ban/jail.d/ssh.conf)
I usually just define a jail for *sshd* which is the SSH server. You can add I usually just define a basic jail for *sshd* which is the SSH server. You can
additional SSH jails as you wish to this file, but I keep it pretty simple. One add additional SSH jails as you wish to this file, but I keep it pretty simple.
note, I run my SSH server on a non-standard port, so be sure you fill in the One note, I run my SSH server on a non-standard port, so be sure you fill in the
correct port for your environment such as my example below of port 222: correct port for your environment such as my example below of port 222:
```Ini ```Ini
@ -235,7 +237,7 @@ logpath = /path/to/your/log.file
### UFW port probing ### UFW port probing
This is probably the what you are really looking for in this entire set-up. We This is probably the part you are really looking for in this entire set-up. We
will create a custom jail that monitors UFW's logs for any mention of *[UFW will create a custom jail that monitors UFW's logs for any mention of *[UFW
BLOCK]* and then proceeds to ban those systems attempting to connect to blocked BLOCK]* and then proceeds to ban those systems attempting to connect to blocked
ports as per your timeframe settings. I've commented the ufw-probe file but ports as per your timeframe settings. I've commented the ufw-probe file but
@ -281,7 +283,7 @@ it's the UFW log file which is, by default, located at */var/log/ufw.log*. If
you've changed this, then update the '*logpath*' parameter. We also need to you've changed this, then update the '*logpath*' parameter. We also need to
tell it what filter to use when parsing the file, in this case, it's a filter tell it what filter to use when parsing the file, in this case, it's a filter
I've called 'ufw-probe' (change this if you change the filename) which is I've called 'ufw-probe' (change this if you change the filename) which is
located at */etc/fail2ban/filter.d/ufw-probe.conf* [details here](#The-UFW-filter-regex-(/etc/fail2ban/filter.d/ufw-probe.conf)). Finally, we located at */etc/fail2ban/filter.d/ufw-probe.conf* [(details here)](#The-UFW-filter-regex-(/etc/fail2ban/filter.d/ufw-probe.conf)). Finally, we
tell F2B to enable this jail. tell F2B to enable this jail.
```Ini ```Ini
@ -320,7 +322,7 @@ have only changed the '*blocktype*' from it's default (reject) to *deny*.
blocktype = deny blocktype = deny
``` ```
For example, the important part of '*actionban*' works like this: The important part of '*actionban*' works like this:
```PHP ```PHP
ufw insert <insertpos> <blocktype> from <ip> to <destination> ufw insert <insertpos> <blocktype> from <ip> to <destination>
@ -337,7 +339,7 @@ application =
``` ```
So, this rule adds a new rule (*insert*) at position 1 (*insertpos*) which So, this rule adds a new rule (*insert*) at position 1 (*insertpos*) which
denies (*blocktype*) packets from the offending system's IP (*ip*) destinend for denies (*blocktype*) packets from the offending system's IP (*ip*) destined for
any address (which obviously includes this system). Importantly, each rule is any address (which obviously includes this system). Importantly, each rule is
added at *position 1* which means they have priority over any other added at *position 1* which means they have priority over any other
otherwise defined (i.e. allowed) traffic. otherwise defined (i.e. allowed) traffic.
@ -353,6 +355,6 @@ automatically for whatever timeframe you specify and then remove that block. So
you don't have to maintain IP block/allow lists manually anymore! you don't have to maintain IP block/allow lists manually anymore!
I hope this helps you in dealing with your server getting bombarded by I hope this helps you in dealing with your server getting bombarded by
irritating scanning-bots. As always, check out my block at irritating scanning-bots. As always, check out my blog at
https://mytechiethoughts.com for more solutions like this and feel free to https://mytechiethoughts.com for more solutions like this and feel free to
contribute comments, suggestions and improvements! contribute comments, suggestions and improvements!