Mehr Sicherheit durch fail2ban
Das kleine Programm fail2ban lässt sich so konfigurieren, dass es einen Angreifer erkennt, wenn dieser versucht sich einzuloggen und er das Kennwort nicht weiß oder einen falschen SSH Key verwendet. Standardmäßig schließt dann fail2ban, mittels Firewall Regel (iptables), den Zugang für das angreifende System für x Minuten. Das ist eine der besten Waffen gegen BruteForce Angriffe.
Installation
Debian/Ubuntu Linux
apt install fail2ban
Konfiguration
Actions
möchte man eine E-Mail erhalten, wenn es zu einer fail2ban Aktion kommt, kann man dies einfach durch das anlegen dieser Konfiguration machen. Die anderen Parameter setzten die Blockierungszeit und die Versuche bis eine Blockierung ausgelöst wird:
/etc/fail2ban/jail.d/action.conf
[DEFAULT]
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = YOURMAILADDRESS
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s
# "bantime" is the number of seconds that a host is banned.
bantime = 30m
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Backend
solltet ihr ein neueres Debian Linux / Raspberry Pi OS (Bookworm und neuer) nutzen, muss das Backend von auto, auf systemd geändert werden:
/etc/fail2ban/jail.d/backend.conf
[DEFAULT] # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = systemd
Dann kann man auch noch das eigene Logging konfigurieren, damit es auch nach systemd-journal loggt:
/etc/fail2ban/fail2ban.d/logging.conf
[DEFAULT] # Option: logtarget # Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT. # Only one log target can be specified. # If you change logtarget from the default value and you are # using logrotate -- also adjust or disable rotation in the # corresponding configuration file # (e.g. /etc/logrotate.d/fail2ban on Debian systems) # Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ] Default: STDERR # logtarget = SYSTEMD-JOURNAL
allowipv6 Warning
um das auftauchende Warning
fail2ban-server[3538]: 2024-01-03 19:21:18,823 fail2ban.configreader [3538]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
loszuwerden, einfach diese Datei anlegen:
/etc/fail2ban/fail2ban.d/ipv6.conf
DEFAULT] # Option: allowipv6 # Notes.: Allows IPv6 interface: # Default: auto # Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto allowipv6 = no
Konfiguration für SSH
Folgendes der Datei hinzufügen:/etc/fail2ban/jail.local
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6
Konfiguration für Pure-FTPd
Folgendes der Datei hinzufügen:/etc/fail2ban/jail.local
# # FTP servers # [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/messages maxretry = 3
/etc/fail2ban/filter.d/pure-ftpd.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd
#
# $Revision: 3$
#
[Definition]
# Error message specified in multiple languages
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
#
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
#failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Konfiguration für Apache HTTPd
/etc/fail2ban/jail.local
# # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache*/*error.log maxretry = 5 [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache*/*access.log maxretry = 3 [apache-404block] enabled = true port = http,https filter = apache-404block logpath = /var/log/apache*/*access.log maxretry = 5
/etc/fail2ban/filter.d/apache-auth.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
[[]client <HOST>[]] user .* not found
[[]client <HOST>[]] user .* password mismatch
[[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|password mismatch)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/filter.d/apache-nohome.conf
# Fail2Ban configuration file # # Author: Yaroslav O. Halchenko <debian@onerussian.com> # # $Revision: 716 $ # [Definition] # Option: failregex # Notes.: regex to match failures to find a home directory on a server, which # became popular last days. Most often attacker just uses IP instead of # domain name -- so expect to see them in generic error.log if you have # per-domain log files. # Values: TEXT # #failregex = [[]client <HOST>[]] File does not exist: .*/~.* failregex = [[]client <HOST>[]] File does not exist: # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
/etc/fail2ban/filter.d/apache-404block.conf
[Definition] failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$ ignoreregex =
Achtung kommt es beim Start zu folgender Fehlermeldung:
fail2ban.filter : ERROR No 'host' group in '- - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$'
Dann fehlt <HOST> for dem failregex Parameter. Es muss so aussehen wie oben beschrieben (apache-404block.conf)!
Konfiguration für Dovecot POP3 & IMAP
Achtung!!! Das logging des Dovecot 1.1 und älter muss in der dovecot.conf auf den Syslog gestellt werden. Hierzu einfach hinter log_path = nichts eintragen.
/etc/fail2ban/jail.local
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap port = imap2,imap3,imaps,pop3,pop3s logpath = /var/log/mail.log maxretry = 5
dovecot-pop3imap.conf
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
SASL Postfix Konfiguration
/etc/fail2ban/filter.d/sasl.conf
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Default
#failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
# Debian Lenny
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/jail.local
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log
Regex Testen
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
IP Entsperren
Hat man sich mal wieder selbst vom Server ausgesperrt kann man die IPtables Rule einfach mit folgendem Befehl löschen:
iptables --delete RULENAME POSITION
Ein kurzes Beispiel:
iptables --list
.... Chain fail2ban-apache-nohome (1 references) target prot opt source destination DROP all -- 10.10.10.1 anywhere RETURN all -- anywhere anywhere ....
will man die die IP 10.10.10.1 entsperren sähe der Befehl wie folgt aus:
iptables --delete fail2ban-apache-nohome 1