Differences

This shows you the differences between two versions of the page.

--- systems:media_server:secure_the_server:install_fail2ban [2025/05/30 20:30] – peter
+++ systems:media_server:secure_the_server:install_fail2ban [2025/05/30 21:31] (current) – peter
@@ Line 22: / Line 22: @@
 ----
-===== Configure Fail2Ban =====
-The default configuration is defined in **/etc/fail2ban/jail.conf**.
-<WRAP important>
-**WARNING:** The default values may change with package updates, so if you want to change the settings, create a **jail.local** file and modify it.
-</WRAP>
-Here are salient lines from the default configuration:
-<file bash /etc/fail2ban/jail.conf>
-# line 87 : ignore your own local IP
-#ignoreself = true
-# line 92 : possible to add ignored networks
-#ignoreip = 127.0.0.1/8 ::1
-# line 101 : number of seconds that a host is banned
-# - 1m ⇒ 1 minutes
-# - 1h ⇒ 1 houer
-# - 1d ⇒ 1 day
-# - 1mo ⇒ 1 month
-# - 1y ⇒ 1 year
-bantime  = 10m
-# line 105 : A host is banned if it has generated "maxretry" during the last "findtime"
-findtime  = 10m
-# line 108 : "maxretry" is the number of failures before a host get banned
-maxretry = 5
-# line 178 : destination email address if enabling email notification
-destemail = root@localhost
-# line 181 : sender address if enabling email notification
-sender = root@<fq-hostname>
-# line 263 : default action
-# - %(action_)s ⇒ ban only
-# - %(action_mw)s ⇒ band and email notification (includes Whois info)
-# - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs)
-action = %(action_)s
-</file>
-----
-===== Override the default values =====
-As root, create a **/etc/fail2ban/jail.local** file.
-<file bash /etc/fail2ban/jail.local>
-[DEFAULT]
-ignoreip = 127.0.0.1/8 ::1
-bantime  = 1d
-findtime  = 5m
-maxretry = 5
-destemail = root@localhost
-sender = root@mediaserver
-</file>
-----
-===== Restart Fail2Ban =====
-<code bash>
-sudo systemctl restart fail2ban
-</code>
-----
-===== Verify Fail2Ban =====
-<code bash>
-sudo systemctl status fail2ban
-</code>
-returns:
-<code>
-fail2ban.service - Fail2Ban Service
-     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
-     Active: active (running) since Fri 2025-05-30 19:38:01 UTC; 6s ago
-       Docs: man:fail2ban(1)
-   Main PID: 3108 (fail2ban-server)
-      Tasks: 5 (limit: 154383)
-     Memory: 18.8M (peak: 19.8M)
-        CPU: 110ms
-     CGroup: /system.slice/fail2ban.service
-             └─3108 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
-May 30 19:38:01 mediaserver systemd[1]: Started fail2ban.service - Fail2Ban Service.
-May 30 19:38:02 mediaserver fail2ban-server[3108]: 2025-05-30 19:38:02,022 fail2ban.configreader   [3108]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
-May 30 19:38:02 mediaserver fail2ban-server[3108]: Server ready
-</code>
-----
-===== Check the fail2ban status =====
-<code bash>
-sudo fail2ban-client status
-</code>
-returns:
-<code>
-Status
-|- Number of jail:	1
-`- Jail list:	sshd
-</code>
 <WRAP info>
-**NOTE:**  By default, only the SSH service is enabled and monitored.
+**NOTE:**  For now, only the sshd service is monitored.
-</WRAP>
-----
+  * See [[Ubuntu:Fail2Ban|Fail2Ban]] for optionally monitoring other services.
-===== Check the fail2ban status of the sshd service =====
-<code bash>
-sudo fail2ban-client status sshd
-</code>
-returns:
-<code>
-Status for the jail: sshd
-|- Filter
-|  |- Currently failed:	0
-|  |- Total failed:	0
-|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
-`- Actions
-   |- Currently banned:	0
-   |- Total banned:	0
-   `- Banned IP list:
-</code>
-<WRAP info>
-**NOTE:**  Once actual banning starts, the totals and the Banned IP list will get updated.
-The actual ban action is controlled by nftables.
-  * Check the nft status with: <code bash>
-sudo nft list ruleset
-</code>
 </WRAP>
@@ Line 173: / Line 32: @@
 ----
-===== To manually add banned hosts =====
+===== References =====
-<code bash>
+[[Ubuntu:Fail2Ban|Fail2Ban]]
-sudo fail2ban-client set sshd banip 1.2.3.4/28
-</code>
-<WRAP info>
-**NOTE:**  This will ban IP 1.2.3.4/28.
-</WRAP>
-----
-===== To manually add banned hosts =====
-<code bash>
-sudo fail2ban-client set sshd unbanip 1.2.3.4
-</code>
-<WRAP info>
-**NOTE:**  This will unban IP 1.2.3.4.
-</WRAP>
-----
-===== To remove all banned hosts =====
-<code bash>
-sudo fail2ban-client unban --all
-</code>
-----
-===== Have fail2ban monitor other services =====
-By default, fail2ban only monitors sshd.
-Confirm this:
-<code bash>
-ll /etc/fail2ban/jail.d
-</code>
-returns:
-<code bash>
-drwxr-xr-x 2 root root 4096 May 30 19:31 ./
-drwxr-xr-x 6 root root 4096 May 30 19:37 ../
--rw-r--r-- 1 root root  117 Jun 10  2024 defaults-debian.conf
-</code>
-<WRAP info>
-**NOTE:**  This shows only a single file, named **defaults-debian.conf**.
-</WRAP>
-----
-==== View this file ====
-<code bash>
-most /etc/fail2ban/jail.d/defaults-debian.conf
-</code>
-returns:
-<file bash /etc/fail2ban/jail.d/defaults-debian.conf>
-[DEFAULT]
-banaction = nftables
-banaction_allports = nftables[type=allports]
-backend = systemd
-[sshd]
-enabled = true
-</file>
-<WRAP info>
-**NOTE:**  This shows that the sshd service is enabled for monitoring.
-  * This also shows that the actual ban action is controlled by nftables.
-</WRAP>
-----
-==== Override the default values for a specific service ====
-Edit that **/etc/fail2ban/jail.d/defaults-debian.conf** file, and add configuration changes into the section of the service to override.
-  * As the only service currently being monitored is sshd, for now changes will be overridden for sshd.
-<file bash /etc/fail2ban/jail.d/defaults-debian.conf>
-[DEFAULT]
-banaction = nftables
-banaction_allports = nftables[type=allports]
-backend = systemd
-[sshd]
-enabled = true
-# override the default values for the sshd service
-bantime = 600
-findtime = 3m
-maxretry = 5
-action = %(action_mw)s
-</file>
-----
-==== Enable the new changes ====
-Reload fail2ban to enable the changes.
-<code bash>
-sudo systemctl reload fail2ban
-</code>
-----
-==== Check what other services could be monitored by fail2ban ====
-<code bash>
-grep '^\[' /etc/fail2ban/jail.conf | tail -n +3
-</code>
-returns:
-<code>
-[sshd]
-[dropbear]
-[selinux-ssh]
-[apache-auth]
-[apache-badbots]
-[apache-noscript]
-[apache-overflows]
-[apache-nohome]
-[apache-botsearch]
-[apache-fakegooglebot]
-[apache-modsecurity]
-[apache-shellshock]
-[openhab-auth]
-[nginx-http-auth]
-[nginx-limit-req]
-[nginx-botsearch]
-[nginx-bad-request]
-[php-url-fopen]
-[suhosin]
-[lighttpd-auth]
-...
-</code>
-----
-==== To monitor another service ====
-Create a new file under **/etc/fail2ban/jail.d/** for the specific service.
-For example, to monitor Vsftpd, create a new file **/etc/fail2ban/jail.d/vsftpd.conf** and populate with:
-<file bash /etc/fail2ban/jail.d/vsftpd.conf>
-[vsftpd]
-enabled = true
-backend = systemd
-journalmatch = _SYSTEMD_UNIT=vsftpd.service
-action = %(action_mw)s
-</file>
-<WRAP info>
-**NOTE:**
-  * **[vsftpd]** - is the name of a service, from one of the services that fail2ban can monitor.
-The actual name of the file under **/etc/fail2ban/jail.d/** is irrelevant, and can be anything.
-  * It is the contents of the file that are used.
-</WRAP>
-----
-==== Enable the new changes ====
-Reload fail2ban to enable the new service to be monitored.
-<code bash>
-sudo systemctl reload fail2ban
-</code>
-----
-==== Check the fail2ban-client status ====
-<code bash>`
-sudo fail2ban-client status
-</code>
-returns:
-<code>
-Status
-|- Number of jail:      2
-`- Jail list:   sshd, vsftpd
-</code>
-----
-==== Verify settings for the new service being monitored ====
-<code bash>
-sudo fail2ban-client status vsftpd
-</code>
-returns:
-<code>
-Status for the jail: vsftpd
-|- Filter
-|  |- Currently failed: 0
-|  |- Total failed:     3
-|  `- Journal matches:  _SYSTEMD_UNIT=vsftpd.service
-`- Actions
-   |- Currently banned: 1
-   |- Total banned:     1
-   `- Banned IP list:   1.2.3.4
-</code>
-----