1 changed files with 156 additions and 0 deletions
@ -0,0 +1,156 @@
|
||||
--- |
||||
title: Fail2ban |
||||
tags: [fail2ban, systemd, gitea, gotify, roundcube, filter, ban] |
||||
updated: 2020-10-07 12:09 |
||||
description: Customization of Fail2ban filter, rules and settings |
||||
--- |
||||
|
||||
## Table of contents |
||||
|
||||
<!--TOC--> |
||||
|
||||
- [Table of contents](#table-of-contents) |
||||
- [Introduction](#introduction) |
||||
- [Global options](#global-options) |
||||
- [Fail2ban](#fail2ban) |
||||
- [Systemd service](#systemd-service) |
||||
- [Filters](#filters) |
||||
- [Gitea](#gitea) |
||||
- [Gotify](#gotify) |
||||
- [Roundcube](#roundcube) |
||||
- [Jails](#jails) |
||||
- [Gitea](#gitea-1) |
||||
- [Gotify](#gotify-1) |
||||
- [Roundcube](#roundcube-1) |
||||
|
||||
<!--TOC--> |
||||
|
||||
## Introduction |
||||
|
||||
This is a list of custom filters, rules and settings I use for Fail2ban. |
||||
|
||||
## Global options |
||||
|
||||
### Fail2ban |
||||
|
||||
- `/etc/fail2ban/jail.local` |
||||
|
||||
``` |
||||
ignoreip = 127.0.0.1/8 ::1 # add your local network here to avoid being locked out |
||||
mta = sendmail # you must have postfix working |
||||
sender = # add the sender email |
||||
destemail = # add the destination email |
||||
maxretry = 3 |
||||
bantime = 15d |
||||
findtime = 60s |
||||
banaction = iptables-allports |
||||
action = %(action_mwl)s |
||||
``` |
||||
|
||||
### Systemd service |
||||
|
||||
Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening) |
||||
|
||||
- `# systemctl edit fai2ban` |
||||
|
||||
``` |
||||
# GFDL v1.3+ |
||||
# ArchWiki contributors |
||||
# https://wiki.archlinux.org/index.php/Fail2ban |
||||
|
||||
[Service] |
||||
PrivateDevices=yes |
||||
PrivateTmp=yes |
||||
ProtectHome=read-only |
||||
ProtectSystem=strict |
||||
|
||||
## NoNewPrivileges=yes # I had problems sending emails with this option enabled. |
||||
|
||||
ReadWritePaths=-/var/run/fail2ban |
||||
ReadWritePaths=-/var/lib/fail2ban |
||||
ReadWritePaths=-/var/log/fail2ban |
||||
ReadWritePaths=-/var/spool/postfix/maildrop |
||||
ReadWritePaths=-/run/xtables.lock |
||||
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW |
||||
|
||||
[Unit] |
||||
OnFailure=notify-unit-status@%n.service # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py |
||||
After=postfix.service |
||||
Requires=postfix.service |
||||
``` |
||||
|
||||
- `/etc/fail2ban/fail2ban.local` |
||||
|
||||
``` |
||||
# GFDL v1.3+ |
||||
# ArchWiki contributors |
||||
# https://wiki.archlinux.org/index.php/Fail2ban |
||||
|
||||
[Definition] |
||||
logtarget = /var/log/fail2ban/fail2ban.log |
||||
``` |
||||
|
||||
## Filters |
||||
|
||||
### Gitea |
||||
|
||||
- `/etc/fail2ban/filter.d/gitea.conf` |
||||
|
||||
See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/) |
||||
|
||||
### Gotify |
||||
|
||||
- `/etc/fail2ban/filter.d/gotify.conf` |
||||
|
||||
``` |
||||
[Definition] |
||||
failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client" |
||||
ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.* |
||||
datepattern = %%Y/%%m/%%d - %%H:%%M:%%S |
||||
``` |
||||
|
||||
### Roundcube |
||||
|
||||
- `/etc/fail2ban/filter.d/roundcube-auth.conf` |
||||
|
||||
See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf) |
||||
|
||||
## Jails |
||||
|
||||
### Gitea |
||||
|
||||
- `/etc/fail2ban/jail.local` |
||||
|
||||
``` |
||||
[gitea] |
||||
enabled = true |
||||
port = http,https |
||||
filter = gitea |
||||
logpath = /var/log/gitea/gitea.log |
||||
``` |
||||
|
||||
See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/) |
||||
|
||||
### Gotify |
||||
|
||||
- `/etc/fail2ban/jail.local` |
||||
|
||||
``` |
||||
[gotify] |
||||
enabled = true |
||||
port = http,https |
||||
filter = gotify |
||||
logpath = /var/log/gotify/server.log |
||||
``` |
||||
|
||||
### Roundcube |
||||
|
||||
- `/etc/fail2ban/jail.local` |
||||
|
||||
``` |
||||
[roundcube] |
||||
enabled = true |
||||
port = http,https |
||||
filter = roundcube-auth |
||||
logpath = /var/log/roundcubemail/errors.log |
||||
``` |
Loading…
Reference in new issue