Protect Ya Neck with Fail2Ban - barkwoofdog/howtowithdog GitHub Wiki
So you're selfhosting something and put it on the Internet. whether you're following my guide on skirting your ISP or you are using your own Public IP you will need some protections on your host for your services. One of the best solutions in my humble opinion is Fail2Ban
Fail2Ban when configured to will search through log files for your services to find failed authorization attempts and automatically put system firewall rules in place to block that specific violator from any further attempts to access that service.
Fail2Ban out of the box can be configured to protect services like apache ssh and even Counter Strike 1.6 as it has filters that already exist for those services. Filter is just a fancy word for RegEx designed to locate failed auth attempts. You can find a list of these filters inside /etc/fail2ban/filter.d/ after it is installed. We'll talk more about setting up these protections in a little bit.
Fail2Ban is likely already packaged for your distribution, and therefore is pretty simple to install and get set up. As always, be sure to update your repos and upgrade your system before you install new software
sudo apt update && sudo apt upgrade -yOR
sudo dnf upgradesudo apt install fail2bansudo dnf install fail2banOnce installed, you should have a new directory at /etc/fail2ban/ that contains the configuration files for the Fail2Ban Daemon.
First off, let's move into the Fail2Ban directory with a quick cd /etc/fail2ban and then we can list the contents to see what we are working with. You can use ls ll or your favorite list command to see what's going on.
The following is the expected output of ls after a fresh installation of Fail2Ban
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.confthe file of note here is jail.conf it contains default configurations for jails (active protections by Fail2Ban) as well as examples. Consider it to be like a tutorial for Fail2Ban. You will see inside this file that you can configure how many attempts and IP gets before it is Banned, the amount of time it is Banned, and even configurations for mailing you when an IP is Banned. I strongly recommend reading up inside this file, however there are other great ones out there (this one included /s) that you can read up on to get a bit of a TDLR on how to use Fail2Ban.
DO NOT EDIT jail.conf it contains default configurations for parameters you have not overridden, and can be changed by updating the Fail2Ban package!
Our options are to place files into /etc/fail2ban/jail.d or create one overarching file in the root of /etc/fail2ban/ named jail.local
In this little guide we're just going to do a simple jail for ssh, and show how to add one for another service (in this case, Nextcloud)
first off, let's create a local jail file by using touch jail.local inside of the /etc/fail2ban/ directory you can then edit it with your favorite text editor. here is an example ssh daemon jail. Values inside of it will be explained after.
/etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 7200
bantime = 86400
ignoreip = 10.10.10.10Let's discuss this file Line-by-Line
this is the header and the parameters following it define what this jail will do with violations, and other parameters for Fail2Ban to follow. In this case I want SSH secured, so I put sshd for the ssh daemon
True or False. Can this jail take action or not?
pretty self explanatory. With common ports usually you can just enter the name of the service.
22 or ssh would do the same thing
What file inside of /etc/fail2ban/filter.d/ should this jail use as its regex filter?
the sshd filter comes out of the box with the Fail2Ban software
Which file should Fail2Ban apply the filter to in order to find violations to take action on?
How many violations can occur within findtime before Fail2Ban takes action on that individual violator?
The first time an IP violates the rules set in Fail2Ban, a timer starts. This is that timer. If the Violator fails authentication (or whatever you set in your filter) more than maxretry inside of findtime then an action will be taken by Fail2Ban. This value is set in econds.
EX: my findtime is set to 60 and my maxretry is set to 2 If Host 185.66.5.12 fails authentication when using SSH, then the timer starts. 15 seconds later they fail again. Because that was within the time limit, Fail2Ban takes action on that host, and puts a firewall rule in place to block it.
How much time (in seconds) will the action taken on a host be enforced? in this example file this time is set to 86400 which is an entire day
Say you don't want the rules to apply to certain IP addresses. Enter those inside of this value.
assuming your system runs SystemD (which is a very safe assumption) you can use the following commands
enable fail2ban starting on system boot
sudo systemctl enable fail2banstart the fail2ban service immediately
sudo systemctl start fail2bansee if the service started and if it is healthy
sudo systemctl status fail2ban
While using systemctl can show you the status of Fail2Ban as a whole, it doesn't show us exactly what is going on in our Jail that we just configured. In the following section I'll show
you a few commands that are very helpful inside of Fail2Ban
Official Fail2Ban Command Page
First off, you invoke all of the commands I am about to show you by using the following format
fail2ban-client <COMMAND>or if you would like to drop into an interactive prompt, such as with sftp or nslookup
fail2ban-client -iLet's see the status of our SSHD jail.
fail2ban-client status sshdRunning the above command without sshd will show you how many jails you have running, as well as what the names of those jails are
You will see something like this (maybe not too much like it since this server has been running a while!)
restart the specified jail
fail2ban-client reload <jail>Unban an IP from a specific jail
fail2ban-client set <jail> unbanip <address>These are just a few examples. You have many options inside of the command line to control the overall Fail2Ban server, and its jails
Just a heads up here, I am using Nextclouds own documentation here because they have been so gracious as to provide it. The main point of this section is to show you how to add jails. Nextcloud Security
You first need to create the filter for the Nextcloud log file. Remember that filters are just files that contain RegEx values that allow Fail2Ban to identify bad authentication attempts.
Run touch /etc/fail2ban/filter.d/nextcloud.conf and then edit that file. The following is the regex inside of nextcloud.conf
/etc/fail2ban/filter.d/nextcloud.conf
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"After you save this file, head to back to the jail.local file that we created and add the following lines to it
You could also create a file named nextcloud.local inside of jail.d
/etc/fail2ban/jail.local
[nextcloud]
backend = auto
enabled = true
port = <your nextcloud ports, usually 80 or 443>
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /path/to/data/directory/nextcloud.logPlease note that you will need to located the Nextcloud data directory in order for this to work properly. If you are using a Docker container with a bind mount, head to that directory and follow the remaining structure to find the nextcloud.log file.
once you have done all this, run
systemctl restart fail2banyou can check if your nextcloud jail has started by running
fail2ban-client status nextcloudConfirm good results and you are good to go! Many other services offer their own Fail2Ban filter files as it is a very popular piece of software. Have Fun!