Häufig kommt es vor, dass einzelne Benutzer oder automatisierte Scripts an einem Server verschiedene Kombinationen aus Benutzernamen und Passwörtern “ausprobieren” (das sogenannte Brute-Force) mit dem Ziel einen funktionierenden Login zu finden. Dies wollen wir natürlich verhindern und die Verursacher wirkungsvoll aussperren, wobei uns das Tool Fail2Ban behilflich ist.
Fail2Ban ist ein kleines Programm auf Python-Basis, welches die Logdateien der Server durchsucht und IP-Adressen, die zu viele fehlgeschlagene Loginversuche haben, blockiert. Das Blockieren der IP-Adressen geschieht dabei in der Regel über Firewallregeln, welche von Fail2Ban entsprechend angepasst werden.
In dieser Anleitung werden wir die, bei Linux üblichen, iptables verwenden. Weiterhin bringt Fail2Ban aber auch Unterstützung für z.B. Shorewall mit und lässt sich beliebig an die auf dem System eingesetzte Firewall anpassen.
Von Hause aus unterstützen die Version bis einschließlich 0.9.x von Fail2Ban nur IPv4-Adressen. Durch eine recht kleine Anpassung lässt es sich jedoch auch auf IPv6 erweitern, was im Beitrag Fail2Ban mit IPv6 beschrieben wird.
Ab Version 0.10 kann Fail2Ban auch ohne zusätzliche Patches IPv6-Adressen erkennen und zuverlässig blockieren. Aus diesem Grund sollte vorzugsweise die Version 0.10.x verwendet werden, auch wenn die Installation etwas aufwändiger ist.
Manuelle Installation von Version 0.10.x
Zuerst müssen die benötigten Abhängigkeiten installiert werden:
1 |
sudo apt-get install python3 python3-pyinotify python3-systemd python3-dnspython |
Anschließend laden wir das .tar.gz
-Archiv des aktuellsten 0.10.x Releases herunter und installieren Fail2Ban.
Der jeweils aktuelle Download-Link ist auf der Fail2Ban GitHub Releases Seite zu finden.
1 2 3 4 5 6 7 8 |
cd /tmp wget https://github.com/fail2ban/fail2ban/archive/0.10.4.tar.gz tar -xf 0.10.4.tar.gz cd fail2ban-0.10.4/ sudo python setup.py install sudo cp build/fail2ban.service /etc/systemd/system/ sudo systemctl enable fail2ban sudo systemctl start fail2ban |
Damit ist die manuelle Installation dann auch schon abgeschlossen und Fail2Ban läuft mit den Standardeinstellungen.
Als nächster Schritt sollte die Konfiguration erfolgen, da in den Standardeinstellungen keine Jails aktiviert sind.
Installation aus den Repositories
Hinweis: Die Versionen in den Standard-Repositories sind aktuell (Stand November 2018) mit 0.9.x etwas veraltet und bieten noch keine native Unterstützung von IPv6!
Unter Debian und Ubuntu Linux ist die Installation von Fail2Ban gewohnt einfach und ggf. fehlende Abhängigkeiten werden automatisch mit installiert:
1 |
sudo apt-get install fail2ban |
Damit ist die Installation auch schon vollständig und Fail2Ban wurde bereits gestartet.
1 2 |
sudo systemctl status fail2ban Status of authentication failure monitor:fail2ban is running. |
Konfiguration
Die gesamten Einstellungen von Fail2Ban befindet sich im Verzeichnis /etc/fail2ban/
.
Die grundlegende Konfiguration erfolgt in der Datei jail.local
, welche eine Kopie der jail.conf
darstellt. Anpassungen könnten auch in der jail.conf
vorgenommen werden, jedoch wird diese bei einem Update eventuell überschrieben. Sobald die Datei jail.local
vorhanden ist wird diese von Fail2Ban verwendet und unsere Konfiguration bleibt auch bei einem Update erhalten. Zuerst müssen wir also die jail.conf
als jail.local
kopieren und anschließend passen wir die jail.local
nach unsern Vorstellungen an.
1 2 |
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local |
Die Konfigurationsdateien sind in verschiedene Sektionen unterteilt. Eine Sektion wird durch eckige Klammern gekennzeichnet (z.B. [ssh]).
Die DEFAULT-Sektion stellt dabei eine Besonderheit dar. Die hier vorgenommenen Einstellungen gelten für alle anderen Sektionen, sofern ein Wert nicht in einer Sektion erneut gesetzt wird. Ansonsten sind die Einstellungen nur für die jeweils aktuelle Sektion gültig.
Die DEFAULT-Sektion
Bei ignoreip können IP-Adressen oder IP-Bereiche angegeben werden, die nie geblockt werden sollen. Mehrere Einträge sind mit Leerzeichen zu trennen. Es empfiehlt sich hier zumindest während der Konfiguration seine eigene IP hinzuzufügen.
Unter bantime wird die Bannzeit in Sekunden angegeben. Wir belassen es hier bei dem voreingestellten Wert von 600 (entspricht 10 Minuten).
maxretry gibt die Anzahl der Fehlversuche an, ab der er eine Aktion ausgelöst wird.
findtime bestimmt das Zeitfenster in Sekunden für die Anzahl an Fehlversuchen.
Bei destemail kann eine E-Mail Adresse angegeben werden, an die Benachrichtigungen gesendet werden, wenn Fail2Ban eine IP-Adresse blockiert.
banaction legt fest, welche Aktion zum Blockieren einer IP angewendet werden soll. Wir belassen diese bei iptables-multiport
, da damit gleich mehrere Ports gesperrt werden können.
Den Eintag bei action ändern wir auf %(action_mwl)s
damit wir beim Blockieren einer IP-Adresse eine E-Mail mit ein paar Informationen zugesendet bekommen.
Andere Sektionen, die sogenannten Jails
In jeder Sektion kann eine Einstellung aus der DEFAULT-Sektion (z.B. bantime) überschieben werden.
Nicht benötigte Jails sollten deaktiviert werden.
Erforderlich sind in den Sektionen die folgenden Einstellungen:
- enabled legt fest, ob die Sektion aktiviert ist oder nicht. Standardmäßig sind seit v0.9.0 alle Jails deaktiviert.
- port gibt den Port oder die Ports an die für die IP gesperrt werden sollen.
- filter definiert den verwendeten Filter für diese Sektion. Alle verfügbaren Filter befinden sich im Verzeichnis
/etc/fail2ban/filter.d/
. - logpath legt die Logdatei fest, welche überwacht werden soll.
Ein Sonderfall, die recidive-Sektion
Dieses Jail stellt eine Besonderheit dar. Hier überwacht Fail2Ban seine eigene Log-Datei und erkennt somit mehrfach gesperrte IP-Adressen.
Dies ist sinnvoll, damit IP-Adressen, die häufiger auffällig werden, für einen längeren Zeitraum gesperrt werden können. Wurde beispielsweise eine IP 5 mal in Folge innerhalb kurzer Zeit gesperrt, so wird diese für eine Woche komplett gesperrt.
Im Folgenden Beispiel ist diese Sektion ab Zeile 748 zu finden.
Beispiel einer jail.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 |
# # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more information # Comments: use '#' for comment lines and ';' (following a space) for inline comments [INCLUDES] #before = paths-distro.conf before = paths-debian.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 123.45.67.89 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 3600 # "maxretry" is the number of failures before a host get banned. maxretry = 10 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = admin@example.com # Sender email address used solely for some actions sender = fail2ban@server.example.com # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 fail2ban_agent = Fail2Ban/%(fail2ban_version)s # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docstring in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] # # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mwl)s # # JAILS # # # SSH servers # [sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s banaction = iptables-allports # findtime: 1 week findtime = 604800 # bantime: 1 week bantime = 604800 maxretry = 5 [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] port = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = ssh logpath = %(auditd_log)s # # HTTP servers # [apache-auth] enabled = true port = http,https logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. enabled = true port = http,https logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] enabled = true port = http,https logpath = %(apache_error_log)s [apache-overflows] enabled = true port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] enabled = true port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https logpath = %(lighttpd_error_log)s # # Webmail and groupware servers # [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https # # Web Applications # # [drupal-auth] port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s # # HTTP Proxy servers # # [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log # # FTP servers # [proftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s # # Mail servers # # ASSP SMTP Proxy Jail [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] enabled = true port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] enabled = true port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courier-auth] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s # # # DNS servers # # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks UDP traffic for DNS requests. # [named-refused-udp] # # filter = named-refused # port = domain,953 # protocol = udp # logpath = /var/log/named/security.log # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log # # Miscellaneous # [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warning = 2 # # for syslog (daemon facility) # [mysqld_safe] # syslog # # for own logfile # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] enabled = true port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 604800 ; 1 week findtime = 86400 ; 1 day # Generic filter for PAM. Has to be used with action which bans all # ports such as iptables-allports, shorewall [pam-generic] # pam-generic filter can be customized to monitor specific subset of 'tty's enabled = true banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 # stunnel - need to set port for this [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log # Firewall: http://www.cstrike-planet.com/faq/6 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] # this pass2allow example allows FTP traffic after successful HTTP authentication port = ftp,ftp-data,ftps,ftps-data # knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local filter = apache-pass # access log of the website with HTTP auth logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP bantime = 3600 maxretry = 1 findtime = 1 [murmur] # AKA mumble-server port = 64738 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] # For Mac OS Screen Sharing Service (VNC) logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] # HAProxy by default doesn't log to file you'll need to set it up to forward # logs to a syslog server which would then write them to disk. # See "haproxy-http-auth" filter for a brief cautionary note when setting # maxretry and findtime. logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps filter = slapd logpath = /var/log/slapd.log |
Neustart von Fail2Ban
Zum Schluss starten wir Fail2Ban neu um alle Anpassungen zu aktivieren.
1 |
sudo systemctl restart fail2ban |
Nun ist Fail2Ban aktiv und überwacht pausenlos die in der Datei jail.local
eingestellten Logdateien.
1 Pingback