Added new post.

_posts/2020-10-07-fail2ban.md

@@ -0,0 +1,156 @@
+---
+title: Fail2ban
+tags: [fail2ban, systemd, gitea, gotify, roundcube, filter, ban]
+updated: 2020-10-07 12:09
+description: Customization of Fail2ban filter, rules and settings
+---
+
+## Table of contents
+
+<!--TOC-->
+
+- [Table of contents](#table-of-contents)
+- [Introduction](#introduction)
+- [Global options](#global-options)
+  - [Fail2ban](#fail2ban)
+  - [Systemd service](#systemd-service)
+- [Filters](#filters)
+  - [Gitea](#gitea)
+  - [Gotify](#gotify)
+  - [Roundcube](#roundcube)
+- [Jails](#jails)
+  - [Gitea](#gitea-1)
+  - [Gotify](#gotify-1)
+  - [Roundcube](#roundcube-1)
+
+<!--TOC-->
+
+## Introduction
+
+This is a list of custom filters, rules and settings I use for Fail2ban.
+
+## Global options
+
+### Fail2ban
+
+- `/etc/fail2ban/jail.local`
+
+  ```
+  ignoreip = 127.0.0.1/8 ::1                          # add your local network here to avoid being locked out
+  mta = sendmail                                      # you must have postfix working
+  sender =                                            # add the sender email
+  destemail =                                         # add the destination email
+  maxretry = 3
+  bantime  = 15d
+  findtime  = 60s
+  banaction = iptables-allports
+  action = %(action_mwl)s
+  ```
+
+### Systemd service
+
+Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening)
+
+- `# systemctl edit fai2ban`
+
+  ```
+  # GFDL v1.3+
+  # ArchWiki contributors
+  # https://wiki.archlinux.org/index.php/Fail2ban
+
+  [Service]
+  PrivateDevices=yes
+  PrivateTmp=yes
+  ProtectHome=read-only
+  ProtectSystem=strict
+
+  ## NoNewPrivileges=yes                        # I had problems sending emails with this option enabled.
+
+  ReadWritePaths=-/var/run/fail2ban
+  ReadWritePaths=-/var/lib/fail2ban
+  ReadWritePaths=-/var/log/fail2ban
+  ReadWritePaths=-/var/spool/postfix/maildrop
+  ReadWritePaths=-/run/xtables.lock
+  CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+  [Unit]
+  OnFailure=notify-unit-status@%n.service       # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py
+  After=postfix.service
+  Requires=postfix.service
+  ```
+
+- `/etc/fail2ban/fail2ban.local`
+
+  ```
+  # GFDL v1.3+
+  # ArchWiki contributors
+  # https://wiki.archlinux.org/index.php/Fail2ban
+
+  [Definition]
+  logtarget = /var/log/fail2ban/fail2ban.log
+  ```
+
+## Filters
+
+### Gitea
+
+- `/etc/fail2ban/filter.d/gitea.conf`
+
+  See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
+
+### Gotify
+
+- `/etc/fail2ban/filter.d/gotify.conf`
+
+  ```
+  [Definition]
+  failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client"
+  ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.*
+  datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
+  ```
+
+### Roundcube
+
+- `/etc/fail2ban/filter.d/roundcube-auth.conf`
+
+  See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf)
+
+## Jails
+
+### Gitea
+
+- `/etc/fail2ban/jail.local`
+
+  ```
+  [gitea]
+  enabled = true
+  port = http,https
+  filter = gitea
+  logpath = /var/log/gitea/gitea.log
+  ```
+
+  See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/)
+
+### Gotify
+
+- `/etc/fail2ban/jail.local`
+
+  ```
+  [gotify]
+  enabled = true
+  port = http,https
+  filter = gotify
+  logpath = /var/log/gotify/server.log
+  ```
+
+### Roundcube
+
+- `/etc/fail2ban/jail.local`
+
+  ```
+  [roundcube]
+  enabled = true
+  port = http,https
+  filter = roundcube-auth
+  logpath = /var/log/roundcubemail/errors.log
+  ```