You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

5.3 KiB

title tags updated description
Fail2ban [tutorial fail2ban systemd gitea gotify roundcube filter ban] 2021-09-13 14:07:00 Customization of Fail2ban filter, rules and settings

Table of contents

Introduction

This is a list of custom filters, rules and settings I use for Fail2ban.

Settings

Logrotate

Install logrotate then run

# systemctl start logrotate.timer
# systemctl enable logrotate.timer

Add a new file:

  • /etc/logrotate.d/jenkins

    /var/log/jenkins/*.log {
            weekly
            copytruncate
            missingok
            rotate 10
            compress
            delaycompress
            notifempty
    }
    

Fail2ban

Global options

  • /etc/fail2ban/jail.local

    ignoreip = 127.0.0.1/8 ::1                          # add your local network here to avoid being locked out
    mta = sendmail                                      # you must have postfix working
    sender =                                            # add the sender email
    destemail =                                         # add the destination email
    maxretry = 3
    bantime  = 15d
    findtime  = 3600s
    banaction = iptables-allports
    action = %(action_mwl)s
    
  • /etc/fail2ban/action.d/abuseipdb.conf

    actionban =
    

    Replace the default action with an empty one

Systemd service

Follow the instructions reported here

  • # systemctl edit fai2ban

    # GFDL v1.3+
    # ArchWiki contributors
    # https://wiki.archlinux.org/index.php/Fail2ban
    
    [Service]
    PrivateDevices=yes
    PrivateTmp=yes
    ProtectHome=read-only
    ProtectSystem=strict
    
    ## NoNewPrivileges=yes                        # I had problems sending emails with this option enabled.
    
    ReadWritePaths=-/var/run/fail2ban
    ReadWritePaths=-/var/lib/fail2ban
    ReadWritePaths=-/var/log/fail2ban
    ReadWritePaths=-/var/spool/postfix/maildrop
    ReadWritePaths=-/run/xtables.lock
    CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
    
    [Unit]
    OnFailure=notify-unit-status@%n.service       # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py
    After=postfix.service
    Requires=postfix.service
    
  • /etc/fail2ban/fail2ban.local

    # GFDL v1.3+
    # ArchWiki contributors
    # https://wiki.archlinux.org/index.php/Fail2ban
    
    [Definition]
    logtarget = /var/log/fail2ban/fail2ban.log
    

Jenkins

  • /etc/conf.d/jenkins

    # Enable access log.
    JENKINS_ACCESSLOG="--accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log"
    
    # Keep the rest.
    
    # Add JENKINS_ACCESSLOG to the command line arguments.
    JENKINS_COMMAND_LINE="$JAVA $JAVA_ARGS $JAVA_OPTS -jar $JENKINS_WAR $JENKINS_WEBROOT $JENKINS_PORT $JENKINS_AJPPORT $JENKINS_OPTS $JENKINS_ACCESSLOG"
    

    See also https://wiki.jenkins.io/display/JENKINS/Access+Logging

Filters

Gitea

Gotify

  • /etc/fail2ban/filter.d/gotify.conf

    [Definition]
    failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client"
    ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.*
    datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
    

Roundcube

Jenkins

  • /etc/fail2ban/filter.d/jenkins.conf

    [Definition]
    failregex = <HOST>.*?GET /loginError HTTP/1.1" 401.*?
    ignoreregex =
    datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
    

Jails

Gitea

Gotify

  • /etc/fail2ban/jail.local

    [gotify]
    enabled = true
    port = http,https
    filter = gotify
    logpath = /var/log/gotify/server.log
    

Roundcube

  • /etc/fail2ban/jail.local

    [roundcube]
    enabled = true
    port = http,https
    filter = roundcube-auth
    logpath = /var/log/roundcubemail/errors.log
    

Jenkins

  • /etc/fail2ban/jail.local

    [jenkins]
    enabled = true
    port = http,https
    filter = jenkins
    logpath = /var/log/jenkins/access.log