Update page '7. Jails'

Asif Bacchus 2019-05-21 06:19:50 -06:00
parent 856cbf6e1c
commit 8efe345542

63
7.-Jails.md Normal file

@ -0,0 +1,63 @@
# Jails
F2B uses '*jail configurations*' specified either in *jail.conf*, *jail.local* or in */jail.d/\*.conf*. The latter is my preference since it allows for each jail to be contained in it's own configuration file which makes debugging and maintaining them much easier. These are two that are configured in this repo. The recidivist jail has it's [own page](insert link here).
## sshd (jail.d/ssh.conf)
I usually just define a basic jail for *sshd* which is the default SSH server on Debian/Ubuntu. You can add additional SSH jails as you wish to this file, but I keep it pretty simple. One note, I run my SSH server on a non-standard port (default is port 22), so be sure you fill in the correct port for your environment such as my example below of port 222:
```ini
[sshd]
port = 222
...
```
If you are running on the standard port 22, then you can actually omit this line entirely since it's already defined in the default configuration. Also note that if you have customized your SSHd configuration to use non-standard logging, you'll want to specify a logfile location in the jail also, like this:
```ini
[sshd]
...
logpath = /path/to/your/log.file
...
```
## UFW port probing
This is probably the part you are really looking for in this entire set-up. We will create a custom jail that monitors UFW's logs for any mention of *[UFW BLOCK]* and then proceeds to ban those systems attempting to connect to blocked ports as per your timeframe settings. I've commented the ufw-probe file but I'll run though it here also for convenience.
### Name of the jail
You can call this anything that has meaning to you, I've chosen '*ufw-probe*'. Just change what it says in the [square brackets]
```ini
[ufw-probe]
...
```
### Ports and IPs
Since this is searching for port probing, we will tell F2B to look for attempts made to connect to any and all ports. **The '*ignoreip*' parameter is only necessary IF it's different from what you've already set in '*jail.local*'.**
```ini
port = all
ignoreip = 127.0.0.1/8 ::1
```
### Timeframes
This section is also optional and is only needed if it's different from what you have in your '*jail.local*'. I like keeping it in this configuration file though since the settings for this jail are often different (i.e. more aggressive) from others.
```ini
maxretry = 5
findtime = 300
```
### Jail-specific settings
In order for this jail to function, you need to give F2B a little information. First, we need to specify what log file it should be parsing. In this case, it's the UFW log file which is, by default, located at */var/log/ufw.log*. If you've changed this, then update the '*logpath*' parameter. We also need to tell it what filter to use when parsing the file, in this case, it's a filter I've called 'ufw-probe' (change this if you change the filename) which is located at *filter.d/ufw-probe.conf* [(details here)](link here). Note that only the filename is required since F2B will always look for the file in the *filter.d* directory. Finally, we tell F2B to enable this jail.
```ini
logpath = /var/log/ufw.log
filter = ufw-probe
enabled = true
```