Fail2ban

Fonte: ARDITI - WIKI
Revisão em 16h03min de 2 de janeiro de 2021 por Hvasanth (discussão | contribs) (Added default banaction and SSH ports)
(dif) ← Revisão anterior | Revisão atual (dif) | Revisão seguinte → (dif)
Saltar para a navegação Saltar para a pesquisa

Installing

First, install fail2ban from the Ubuntu repository: 

sudo apt update
sudo apt install fail2ban

Configuring

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.

Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/*.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/*.local

For most users, the easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. More advanced users can build a .local configuration file from scratch. The .local file doesn’t have to include all settings from the corresponding .conf file, only those you want to override.

Create a .local configuration file from the default jail.conf file: 

sudo cp /etc/fail2ban/jail.{conf,local}

Then go ahead and edit the jail.local file with the following values: 

# "bantime" is the number of (s)econds/(m)inutes/(h)ours/(d)ays that a host is banned.
bantime  = 7d

# A host is banned if it has generated "maxretry" during the last "findtime"
# (s)econds/(m)inutes/(h)ours/(d)ays.
findtime  = 1h

# "maxretry" is the number of failures before a host gets banned within the "findtime".
maxretry = 6

Also to harden the sensitivity we can ban the same IP for all ports as the default banaction: 

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-allports
banaction_allports = iptables-allports

In addition, we can specify extra ports for services (SSH in this case): 

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh,10022
logpath = %(sshd_log)s
backend = %(sshd_backend)s


Then go ahead and restart the Fail2ban service and see if the status is ok. 

sudo service fail2ban restart && sudo service fail2ban status
Obtida de "https://wiki.arditi.pt/index.php?title=Fail2ban&oldid=408"