====== fail2ban ======


\\
==== System updaten ====

<code>
apt-get update
apt-get upgrade
</code>

\\
==== fail2ban installieren ====

<code>
apt-get install fail2ban
</code>

\\
==== Dienststatus ====

<code>
service fail2ban status

service fail2ban stop
service fail2ban start
service fail2ban restart

</code>



<code>

root@raspberrypi3:/home/pi# service fail2ban status
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-01-31 13:19:50 CET; 1min 3s ago
       Docs: man:fail2ban(1)
    Process: 20877 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 20878 (fail2ban-server)
      Tasks: 5 (limit: 1595)
        CPU: 1.857s
     CGroup: /system.slice/fail2ban.service
             └─20878 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 31 13:19:50 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
Jan 31 13:19:50 raspberrypi3 systemd[1]: Started Fail2Ban Service.
Jan 31 13:19:52 raspberrypi3 fail2ban-server[20878]: Server ready

</code>

\\
==== Log-File ====


<code>
tail- f /var/log/fail2ban.log
bash: tail-: command not found
root@raspberrypi3:/home/pi# tail -f /var/log/fail2ban.log
2024-01-31 13:19:52,130 fail2ban.jail           [20878]: INFO    Creating new jail 'sshd'
2024-01-31 13:19:52,318 fail2ban.jail           [20878]: INFO    Jail 'sshd' uses pyinotify {}
2024-01-31 13:19:52,341 fail2ban.jail           [20878]: INFO    Initiated 'pyinotify' backend
2024-01-31 13:19:52,360 fail2ban.filter         [20878]: INFO      maxLines: 1
2024-01-31 13:19:52,643 fail2ban.filter         [20878]: INFO      maxRetry: 5
2024-01-31 13:19:52,645 fail2ban.filter         [20878]: INFO      findtime: 600
2024-01-31 13:19:52,646 fail2ban.actions        [20878]: INFO      banTime: 600
2024-01-31 13:19:52,647 fail2ban.filter         [20878]: INFO      encoding: UTF-8
2024-01-31 13:19:52,651 fail2ban.filter         [20878]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = 6ab07ffed84cb62c8dcb4600d0b0630ab9c821f5)
2024-01-31 13:19:52,671 fail2ban.jail           [20878]: INFO    Jail 'sshd' started

</code>

\\
Wird 6x hintereinander versucht eine ssh-Verbindung herzustellen, sperrt fail2ban den Zugang:
<code>
2024-01-31 13:41:52,082 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:52
2024-01-31 13:41:59,197 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:58
2024-01-31 13:42:02,555 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:02
2024-01-31 13:42:07,367 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:07
2024-01-31 13:42:11,476 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:11
2024-01-31 13:42:12,249 fail2ban.actions        [20878]: NOTICE  [sshd] Ban 192.168.178.36

</code>

\\
Nach 10 Minuten ist er wieder freigegeben:
<code>
2024-01-31 13:52:11,321 fail2ban.actions        [20878]: NOTICE  [sshd] Unban 192.168.178.36

</code>

\\
==== Dateiübersicht ====
<code>
ls -l /etc/fail2ban/
total 64
drwxr-xr-x 2 root root  4096 Jan 31 13:19 action.d
-rw-r--r-- 1 root root  2816 Nov 23  2020 fail2ban.conf
drwxr-xr-x 2 root root  4096 Jul 12  2021 fail2ban.d
drwxr-xr-x 3 root root  4096 Jan 31 13:19 filter.d
-rw-r--r-- 1 root root 24996 Nov 23  2020 jail.conf
drwxr-xr-x 2 root root  4096 Jan 31 13:19 jail.d
-rw-r--r-- 1 root root   645 Nov 23  2020 paths-arch.conf
-rw-r--r-- 1 root root  2827 Nov 23  2020 paths-common.conf
-rw-r--r-- 1 root root   573 Nov 23  2020 paths-debian.conf
-rw-r--r-- 1 root root   738 Nov 23  2020 paths-opensuse.conf

</code>

\\
==== Ausgangskonfiguration ====
In der Datei ///etc/fail2ban/jail.conf// steht im Abschnitt\\
[DEFAULT]
<code>
# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

</code>
Die habe ich zu Testzwecken auf 2 Minuten und 2 Einträgen reduziert.\\
\\
\\
In der Datei  ///etc/fail2ban/jail.conf// stehen im Abschnitt\\
<code>
#
# JAILS
#

</code>
alle zu überwachenden Dienste.\\
Sie werden mit dem Zusatz: enabled = true und einem Dienstneustart aktiviert.\\



\\
Jails anzeigen lassen:
<code>
root@raspberrypi3:/home/pi# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd
</code>

bzw. dann später:
<code>
root@raspberrypi3:/home/pi# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   apache-auth, sshd

</code>
\\
genauer hingesehen:
<code>
root@raspberrypi3:/home/pi# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:


</code>

\\
==== Beste Vorgehensweise ====

die Ausgangskonfiguration kopieren
<code>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>
\\
Die Kopie anpassen. Also im Abschnitt //DEFAULT// die gwünschte Regel mit //enabeld = true// aktivieren bzw. eine neue hinzufügen.\\
\\
Im Verzeichnis ///etc/fail2ban/filter.d/// dann die *.conf verändern oder falls noch nicht vorhanden, anlegen und anpassen.\\
\\
\\
Beispiel: Apache 404-Fehler:\\

<code>
nano  /etc/fail2ban/jail.local


#
# JAILS
#

# neu hinzufügen
[apache404]
enabled = true
port     = http,https
logpath  = /var/log/apache2/access.log

</code>


\\
dann eine neue Filterdatei anlegen:
<code>
nano /etc/fail2ban/filter.d/apache404.conf
</code>

<code>
[Definition]

failregex = ^<HOST> -.*"(GET|POST).*404*.*$

ignoreregex =

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}
</code>

und fail2ban neustarten:
<code>
service fail2ban restart
</code>

\\
\\
Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten:\\
**service fail2ban status**
<code>
root@raspberrypi3:/home/pi# service fail2ban status
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-01-31 15:32:26 CET; 1h 1min ago
       Docs: man:fail2ban(1)
    Process: 23835 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 23836 (fail2ban-server)
      Tasks: 7 (limit: 1595)
        CPU: 5.115s
     CGroup: /system.slice/fail2ban.service
             └─23836 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service.
Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: Server ready
</code>

\\
**iptables -L**
<code>
root@raspberrypi3:/home/pi# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-apache404 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
</code>

\\
**fail2ban-client status apache404**
<code>
root@raspberrypi3:/home/pi# fail2ban-client status apache404
Status for the jail: apache404
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     3
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:

</code>

\\
\\
nun die Webseite nach fehlenden Seiten abfragen:
\\
**tail -f /var/log/fail2ban.log**
<code>
2024-01-31 16:36:58,105 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:36:58
2024-01-31 16:38:13,892 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:38:13
2024-01-31 16:38:14,032 fail2ban.actions        [23836]: NOTICE  [apache404] Ban 192.168.178.36**Fetter Text**

</code>

\\
**fail2ban-client status apache404**
<code>
root@raspberrypi3:/home/pi# fail2ban-client status apache404
Status for the jail: apache404
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   192.168.178.36

</code>

\\
**iptables -L**
<code>
root@raspberrypi3:/home/pi# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-apache404 (1 references)
target     prot opt source               destination
REJECT     all  --  DESKTOP-PQ44AIL.fritz.box  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

</code>





 

\\
\\
==== Quellen ====

https://wiki.ubuntuusers.de/fail2ban/\\
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04\\