From 1feebbeef489fd433c5b7e86a89384932bd1e127 Mon Sep 17 00:00:00 2001 From: Franco Masotti Date: Wed, 7 Oct 2020 12:11:16 +0200 Subject: [PATCH] Added new post. --- _posts/2020-10-07-fail2ban.md | 156 ++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 _posts/2020-10-07-fail2ban.md diff --git a/_posts/2020-10-07-fail2ban.md b/_posts/2020-10-07-fail2ban.md new file mode 100644 index 0000000..73a6a0b --- /dev/null +++ b/_posts/2020-10-07-fail2ban.md @@ -0,0 +1,156 @@ +--- +title: Fail2ban +tags: [fail2ban, systemd, gitea, gotify, roundcube, filter, ban] +updated: 2020-10-07 12:09 +description: Customization of Fail2ban filter, rules and settings +--- + +## Table of contents + + + +- [Table of contents](#table-of-contents) +- [Introduction](#introduction) +- [Global options](#global-options) + - [Fail2ban](#fail2ban) + - [Systemd service](#systemd-service) +- [Filters](#filters) + - [Gitea](#gitea) + - [Gotify](#gotify) + - [Roundcube](#roundcube) +- [Jails](#jails) + - [Gitea](#gitea-1) + - [Gotify](#gotify-1) + - [Roundcube](#roundcube-1) + + + +## Introduction + +This is a list of custom filters, rules and settings I use for Fail2ban. + +## Global options + +### Fail2ban + +- `/etc/fail2ban/jail.local` + + ``` + ignoreip = 127.0.0.1/8 ::1 # add your local network here to avoid being locked out + mta = sendmail # you must have postfix working + sender = # add the sender email + destemail = # add the destination email + maxretry = 3 + bantime = 15d + findtime = 60s + banaction = iptables-allports + action = %(action_mwl)s + ``` + +### Systemd service + +Follow the instructions reported [here](https://wiki.archlinux.org/index.php/Fail2ban#Service_hardening) + +- `# systemctl edit fai2ban` + + ``` + # GFDL v1.3+ + # ArchWiki contributors + # https://wiki.archlinux.org/index.php/Fail2ban + + [Service] + PrivateDevices=yes + PrivateTmp=yes + ProtectHome=read-only + ProtectSystem=strict + + ## NoNewPrivileges=yes # I had problems sending emails with this option enabled. + + ReadWritePaths=-/var/run/fail2ban + ReadWritePaths=-/var/lib/fail2ban + ReadWritePaths=-/var/log/fail2ban + ReadWritePaths=-/var/spool/postfix/maildrop + ReadWritePaths=-/run/xtables.lock + CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW + + [Unit] + OnFailure=notify-unit-status@%n.service # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py + After=postfix.service + Requires=postfix.service + ``` + +- `/etc/fail2ban/fail2ban.local` + + ``` + # GFDL v1.3+ + # ArchWiki contributors + # https://wiki.archlinux.org/index.php/Fail2ban + + [Definition] + logtarget = /var/log/fail2ban/fail2ban.log + ``` + +## Filters + +### Gitea + +- `/etc/fail2ban/filter.d/gitea.conf` + + See [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/) + +### Gotify + +- `/etc/fail2ban/filter.d/gotify.conf` + + ``` + [Definition] + failregex = .*?\| 401 \|.*?\|.*? \| POST.*?"/client" + ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.* + datepattern = %%Y/%%m/%%d - %%H:%%M:%%S + ``` + +### Roundcube + +- `/etc/fail2ban/filter.d/roundcube-auth.conf` + + See [https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf](https://raw.githubusercontent.com/fail2ban/fail2ban/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/filter.d/roundcube-auth.conf) + +## Jails + +### Gitea + +- `/etc/fail2ban/jail.local` + + ``` + [gitea] + enabled = true + port = http,https + filter = gitea + logpath = /var/log/gitea/gitea.log + ``` + + See also [https://docs.gitea.io/en-us/fail2ban-setup/](https://docs.gitea.io/en-us/fail2ban-setup/) + +### Gotify + +- `/etc/fail2ban/jail.local` + + ``` + [gotify] + enabled = true + port = http,https + filter = gotify + logpath = /var/log/gotify/server.log + ``` + +### Roundcube + +- `/etc/fail2ban/jail.local` + + ``` + [roundcube] + enabled = true + port = http,https + filter = roundcube-auth + logpath = /var/log/roundcubemail/errors.log + ```