You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
blog/_posts/2020-10-07-fail2ban.md

157 lines
3.7 KiB

2 years ago
---
title: Fail2ban
tags: [fail2ban, systemd, gitea, gotify, roundcube, filter, ban]
updated: 2020-10-07 12:09
description: Customization of Fail2ban filter, rules and settings
---
## Table of contents
<!--TOC-->
- [Table of contents](#table-of-contents)
- [Introduction](#introduction)
- [Global options](#global-options)
- [Fail2ban](#fail2ban)
- [Systemd service](#systemd-service)
- [Filters](#filters)
- [Gitea](#gitea)
- [Gotify](#gotify)
- [Roundcube](#roundcube)
- [Jails](#jails)
- [Gitea](#gitea-1)
- [Gotify](#gotify-1)
- [Roundcube](#roundcube-1)
<!--TOC-->
## Introduction
This is a list of custom filters, rules and settings I use for Fail2ban.
## Global options
### Fail2ban
- `/etc/fail2ban/jail.local`
```
ignoreip = 127.0.0.1/8 ::1 # add your local network here to avoid being locked out
mta = sendmail # you must have postfix working
sender = # add the sender email
destemail = # add the destination email
maxretry = 3
bantime = 15d
findtime = 60s
banaction = iptables-allports
action = %(action_mwl)s
```
### Systemd service
Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening)
- `# systemctl edit fai2ban`
```
# GFDL v1.3+
# ArchWiki contributors
# https://wiki.archlinux.org/index.php/Fail2ban
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
## NoNewPrivileges=yes # I had problems sending emails with this option enabled.
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
[Unit]
OnFailure=notify-unit-status@%n.service # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py
After=postfix.service
Requires=postfix.service
```
- `/etc/fail2ban/fail2ban.local`
```
# GFDL v1.3+
# ArchWiki contributors
# https://wiki.archlinux.org/index.php/Fail2ban
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
```
## Filters
### Gitea
- `/etc/fail2ban/filter.d/gitea.conf`
See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
### Gotify
- `/etc/fail2ban/filter.d/gotify.conf`
```
[Definition]
failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client"
ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.*
datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
```
### Roundcube
- `/etc/fail2ban/filter.d/roundcube-auth.conf`
See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf)
## Jails
### Gitea
- `/etc/fail2ban/jail.local`
```
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /var/log/gitea/gitea.log
```
See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
### Gotify
- `/etc/fail2ban/jail.local`
```
[gotify]
enabled = true
port = http,https
filter = gotify
logpath = /var/log/gotify/server.log
```
### Roundcube
- `/etc/fail2ban/jail.local`
```
[roundcube]
enabled = true
port = http,https
filter = roundcube-auth
logpath = /var/log/roundcubemail/errors.log
```