2 07. Jails
Asif Bacchus edited this page 2022-02-01 23:53:52 -07:00

Jails

F2B uses 'jail configurations' specified either in jail.conf, jail.local or in /jail.d/*.conf. The latter is my preference since it allows for each jail to be contained in it's own configuration file which makes debugging and maintaining them much easier. These are two that are configured in this repo. The recidivist jail has it's own page.

sshd (jail.d/ssh.conf)

I usually just define a basic jail for sshd which is the default SSH server on Debian/Ubuntu. You can add additional SSH jails as you wish to this file, but I keep it pretty simple. One note, I run my SSH server on a non-standard port (default is port 22), so be sure you fill in the correct port for your environment such as my example below of port 222:

[sshd]
port    = 222
...

If you are running on the standard port 22, then you can actually omit this line entirely since it's already defined in the default configuration. Also note that if you have customized your SSHd configuration to use non-standard logging, you'll want to specify a logfile location in the jail also, like this:

[sshd]
...
logpath     = /path/to/your/log.file
...

UFW port probing (jail.d/ufw-probe.conf)

This is probably the part you are really looking for in this entire set-up. We will create a custom jail that monitors UFW's logs for any mention of [UFW BLOCK] and then proceeds to ban those systems attempting to connect to blocked ports as per your timeframe settings. I've commented the ufw-probe file but I'll run though it here also for convenience.

Name of the jail

You can call this anything that has meaning to you, I've chosen 'ufw-probe'. Just change what it says in the [square brackets]

[ufw-probe]
...

Ports and IPs

Since this is searching for port probing, we will tell F2B to look for attempts made to connect to any and all ports. The 'ignoreip' parameter is only necessary IF it's different from what you've already set in 'jail.local'.

port        = 0:65535
ignoreip    = 127.0.0.1/8 ::1

Timeframes

This section is also optional and is only needed if it's different from what you have in your 'jail.local'. I like keeping it in this configuration file though since the settings for this jail are often different (i.e. more aggressive) from others.

maxretry    = 5
findtime    = 300

Jail-specific settings

In order for this jail to function, you need to give F2B a little information. First, we need to specify what log file it should be parsing. In this case, it's the UFW log file which is, by default, located at /var/log/ufw.log. If you've changed this, then update the 'logpath' parameter. We also need to tell it what filter to use when parsing the file, in this case, it's a filter I've called 'ufw-probe' (change this if you change the filename) which is located at filter.d/ufw-probe.conf (details here). Note that only the filename is required since F2B will always look for the file in the filter.d directory. Finally, we tell F2B to enable this jail.

logpath     = /var/log/ufw.log
filter      = ufw-probe
enabled     = true