blog/_posts/2020-10-07-fail2ban.md

---
title: Fail2ban
tags: [tutorial, fail2ban, systemd, gitea, gotify, roundcube, filter, ban]
updated: 2021-09-13 14:07:00
description: Customization of Fail2ban filter, rules and settings
---

## Table of contents

<!--TOC-->

- [Table of contents](#table-of-contents)
- [Introduction](#introduction)
- [Settings](#settings)
  - [Logrotate](#logrotate)
  - [Fail2ban](#fail2ban)
    - [Global options](#global-options)
    - [Systemd service](#systemd-service)
  - [Jenkins](#jenkins)
- [Filters](#filters)
  - [Gitea](#gitea)
  - [Gotify](#gotify)
  - [Roundcube](#roundcube)
  - [Jenkins](#jenkins-1)
- [Jails](#jails)
  - [Gitea](#gitea-1)
  - [Gotify](#gotify-1)
  - [Roundcube](#roundcube-1)
  - [Jenkins](#jenkins-2)

<!--TOC-->

## Introduction

This is a list of custom filters, rules and settings I use for Fail2ban.

## Settings

### Logrotate

Install [logrotate](https://github.com/logrotate/logrotate) then run

```
# systemctl start logrotate.timer
# systemctl enable logrotate.timer
```

Add a new file:

- `/etc/logrotate.d/jenkins`

  ```
  /var/log/jenkins/*.log {
          weekly
          copytruncate
          missingok
          rotate 10
          compress
          delaycompress
          notifempty
  }
  ```

### Fail2ban

#### Global options

- `/etc/fail2ban/jail.local`

  ```
  ignoreip = 127.0.0.1/8 ::1                          # add your local network here to avoid being locked out
  mta = sendmail                                      # you must have postfix working
  sender =                                            # add the sender email
  destemail =                                         # add the destination email
  maxretry = 3
  bantime  = 15d
  findtime  = 3600s
  banaction = iptables-allports
  action = %(action_mwl)s
  ```

- `/etc/fail2ban/action.d/abuseipdb.conf`

  ```
  actionban =
  ```

  Replace the default action with an empty one

#### Systemd service

Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening)

- `# systemctl edit fai2ban`

  ```
  # GFDL v1.3+
  # ArchWiki contributors
  # https://wiki.archlinux.org/index.php/Fail2ban

  [Service]
  PrivateDevices=yes
  PrivateTmp=yes
  ProtectHome=read-only
  ProtectSystem=strict

  ## NoNewPrivileges=yes                        # I had problems sending emails with this option enabled.

  ReadWritePaths=-/var/run/fail2ban
  ReadWritePaths=-/var/lib/fail2ban
  ReadWritePaths=-/var/log/fail2ban
  ReadWritePaths=-/var/spool/postfix/maildrop
  ReadWritePaths=-/run/xtables.lock
  CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

  [Unit]
  OnFailure=notify-unit-status@%n.service       # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py
  After=postfix.service
  Requires=postfix.service
  ```

- `/etc/fail2ban/fail2ban.local`

  ```
  # GFDL v1.3+
  # ArchWiki contributors
  # https://wiki.archlinux.org/index.php/Fail2ban

  [Definition]
  logtarget = /var/log/fail2ban/fail2ban.log
  ```

### Jenkins

- `/etc/conf.d/jenkins`

  ```
  # Enable access log.
  JENKINS_ACCESSLOG="--accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log"

  # Keep the rest.

  # Add JENKINS_ACCESSLOG to the command line arguments.
  JENKINS_COMMAND_LINE="$JAVA $JAVA_ARGS $JAVA_OPTS -jar $JENKINS_WAR $JENKINS_WEBROOT $JENKINS_PORT $JENKINS_AJPPORT $JENKINS_OPTS $JENKINS_ACCESSLOG"
  ```

  See also [https://wiki.jenkins.io/display/JENKINS/Access+Logging](https://wiki.jenkins.io/display/JENKINS/Access+Logging)

## Filters

### Gitea

- `/etc/fail2ban/filter.d/gitea.conf`

  See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)

### Gotify

- `/etc/fail2ban/filter.d/gotify.conf`

  ```
  [Definition]
  failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client"
  ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.*
  datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
  ```

### Roundcube

- `/etc/fail2ban/filter.d/roundcube-auth.conf`

  See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf)

### Jenkins

- `/etc/fail2ban/filter.d/jenkins.conf`

  ```
  [Definition]
  failregex = <HOST>.*?GET /loginError HTTP/1.1" 401.*?
  ignoreregex =
  datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
  ```

## Jails

### Gitea

- `/etc/fail2ban/jail.local`

  ```
  [gitea]
  enabled = true
  port = http,https
  filter = gitea
  logpath = /var/log/gitea/gitea.log
  ```

  See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)

### Gotify

- `/etc/fail2ban/jail.local`

  ```
  [gotify]
  enabled = true
  port = http,https
  filter = gotify
  logpath = /var/log/gotify/server.log
  ```

### Roundcube

- `/etc/fail2ban/jail.local`

  ```
  [roundcube]
  enabled = true
  port = http,https
  filter = roundcube-auth
  logpath = /var/log/roundcubemail/errors.log
  ```

### Jenkins

- `/etc/fail2ban/jail.local`

  ```
  [jenkins]
  enabled = true
  port = http,https
  filter = jenkins
  logpath = /var/log/jenkins/access.log
  ```