You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

236 lines
5.3 KiB

2 years ago
---
title: Fail2ban
11 months ago
tags: [tutorial, fail2ban, systemd, gitea, gotify, roundcube, filter, ban]
updated: 2021-09-13 14:07:00
2 years ago
description: Customization of Fail2ban filter, rules and settings
---
## Table of contents
<!--TOC-->
- [Table of contents](#table-of-contents)
- [Introduction](#introduction)
2 years ago
- [Settings](#settings)
- [Logrotate](#logrotate)
2 years ago
- [Fail2ban](#fail2ban)
1 year ago
- [Global options](#global-options)
- [Systemd service](#systemd-service)
2 years ago
- [Jenkins](#jenkins)
2 years ago
- [Filters](#filters)
- [Gitea](#gitea)
- [Gotify](#gotify)
- [Roundcube](#roundcube)
2 years ago
- [Jenkins](#jenkins-1)
2 years ago
- [Jails](#jails)
- [Gitea](#gitea-1)
- [Gotify](#gotify-1)
- [Roundcube](#roundcube-1)
2 years ago
- [Jenkins](#jenkins-2)
2 years ago
<!--TOC-->
## Introduction
This is a list of custom filters, rules and settings I use for Fail2ban.
2 years ago
## Settings
### Logrotate
Install [logrotate](https://github.com/logrotate/logrotate) then run
```
# systemctl start logrotate.timer
# systemctl enable logrotate.timer
```
Add a new file:
- `/etc/logrotate.d/jenkins`
```
/var/log/jenkins/*.log {
weekly
copytruncate
missingok
rotate 10
compress
delaycompress
notifempty
}
```
2 years ago
### Fail2ban
2 years ago
#### Global options
2 years ago
- `/etc/fail2ban/jail.local`
```
ignoreip = 127.0.0.1/8 ::1 # add your local network here to avoid being locked out
mta = sendmail # you must have postfix working
sender = # add the sender email
destemail = # add the destination email
maxretry = 3
bantime = 15d
2 years ago
findtime = 3600s
2 years ago
banaction = iptables-allports
action = %(action_mwl)s
```
2 years ago
- `/etc/fail2ban/action.d/abuseipdb.conf`
```
actionban =
```
Replace the default action with an empty one
#### Systemd service
2 years ago
Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening)
- `# systemctl edit fai2ban`
```
# GFDL v1.3+
# ArchWiki contributors
# https://wiki.archlinux.org/index.php/Fail2ban
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
## NoNewPrivileges=yes # I had problems sending emails with this option enabled.
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
[Unit]
OnFailure=notify-unit-status@%n.service # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py
After=postfix.service
Requires=postfix.service
```
- `/etc/fail2ban/fail2ban.local`
```
# GFDL v1.3+
# ArchWiki contributors
# https://wiki.archlinux.org/index.php/Fail2ban
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
```
2 years ago
### Jenkins
- `/etc/conf.d/jenkins`
```
# Enable access log.
JENKINS_ACCESSLOG="--accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log"
# Keep the rest.
# Add JENKINS_ACCESSLOG to the command line arguments.
JENKINS_COMMAND_LINE="$JAVA $JAVA_ARGS $JAVA_OPTS -jar $JENKINS_WAR $JENKINS_WEBROOT $JENKINS_PORT $JENKINS_AJPPORT $JENKINS_OPTS $JENKINS_ACCESSLOG"
```
See also [https://wiki.jenkins.io/display/JENKINS/Access+Logging](https://wiki.jenkins.io/display/JENKINS/Access+Logging)
2 years ago
## Filters
### Gitea
- `/etc/fail2ban/filter.d/gitea.conf`
See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
### Gotify
- `/etc/fail2ban/filter.d/gotify.conf`
```
[Definition]
failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client"
ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.*
datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
```
### Roundcube
- `/etc/fail2ban/filter.d/roundcube-auth.conf`
See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf)
2 years ago
### Jenkins
- `/etc/fail2ban/filter.d/jenkins.conf`
```
[Definition]
failregex = <HOST>.*?GET /loginError HTTP/1.1" 401.*?
ignoreregex =
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
```
2 years ago
## Jails
### Gitea
- `/etc/fail2ban/jail.local`
```
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /var/log/gitea/gitea.log
```
See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
### Gotify
- `/etc/fail2ban/jail.local`
```
[gotify]
enabled = true
port = http,https
filter = gotify
logpath = /var/log/gotify/server.log
```
### Roundcube
- `/etc/fail2ban/jail.local`
```
[roundcube]
enabled = true
port = http,https
filter = roundcube-auth
logpath = /var/log/roundcubemail/errors.log
```
2 years ago
### Jenkins
- `/etc/fail2ban/jail.local`
```
[jenkins]
enabled = true
port = http,https
filter = jenkins
logpath = /var/log/jenkins/access.log
```