Inhaltsverzeichnis

fail2ban


System updaten

apt-get update
apt-get upgrade


fail2ban installieren

apt-get install fail2ban


Dienststatus

service fail2ban status

service fail2ban stop
service fail2ban start
service fail2ban restart
root@raspberrypi3:/home/pi# service fail2ban status
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-01-31 13:19:50 CET; 1min 3s ago
       Docs: man:fail2ban(1)
    Process: 20877 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 20878 (fail2ban-server)
      Tasks: 5 (limit: 1595)
        CPU: 1.857s
     CGroup: /system.slice/fail2ban.service
             └─20878 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 31 13:19:50 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
Jan 31 13:19:50 raspberrypi3 systemd[1]: Started Fail2Ban Service.
Jan 31 13:19:52 raspberrypi3 fail2ban-server[20878]: Server ready


Log-File

tail- f /var/log/fail2ban.log
bash: tail-: command not found
root@raspberrypi3:/home/pi# tail -f /var/log/fail2ban.log
2024-01-31 13:19:52,130 fail2ban.jail           [20878]: INFO    Creating new jail 'sshd'
2024-01-31 13:19:52,318 fail2ban.jail           [20878]: INFO    Jail 'sshd' uses pyinotify {}
2024-01-31 13:19:52,341 fail2ban.jail           [20878]: INFO    Initiated 'pyinotify' backend
2024-01-31 13:19:52,360 fail2ban.filter         [20878]: INFO      maxLines: 1
2024-01-31 13:19:52,643 fail2ban.filter         [20878]: INFO      maxRetry: 5
2024-01-31 13:19:52,645 fail2ban.filter         [20878]: INFO      findtime: 600
2024-01-31 13:19:52,646 fail2ban.actions        [20878]: INFO      banTime: 600
2024-01-31 13:19:52,647 fail2ban.filter         [20878]: INFO      encoding: UTF-8
2024-01-31 13:19:52,651 fail2ban.filter         [20878]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = 6ab07ffed84cb62c8dcb4600d0b0630ab9c821f5)
2024-01-31 13:19:52,671 fail2ban.jail           [20878]: INFO    Jail 'sshd' started


Wird 6x hintereinander versucht eine ssh-Verbindung herzustellen, sperrt fail2ban den Zugang:

2024-01-31 13:41:52,082 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:52
2024-01-31 13:41:59,197 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:41:58
2024-01-31 13:42:02,555 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:02
2024-01-31 13:42:07,367 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:07
2024-01-31 13:42:11,476 fail2ban.filter         [20878]: INFO    [sshd] Found 192.168.178.36 - 2024-01-31 13:42:11
2024-01-31 13:42:12,249 fail2ban.actions        [20878]: NOTICE  [sshd] Ban 192.168.178.36


Nach 10 Minuten ist er wieder freigegeben:

2024-01-31 13:52:11,321 fail2ban.actions        [20878]: NOTICE  [sshd] Unban 192.168.178.36


Dateiübersicht

ls -l /etc/fail2ban/
total 64
drwxr-xr-x 2 root root  4096 Jan 31 13:19 action.d
-rw-r--r-- 1 root root  2816 Nov 23  2020 fail2ban.conf
drwxr-xr-x 2 root root  4096 Jul 12  2021 fail2ban.d
drwxr-xr-x 3 root root  4096 Jan 31 13:19 filter.d
-rw-r--r-- 1 root root 24996 Nov 23  2020 jail.conf
drwxr-xr-x 2 root root  4096 Jan 31 13:19 jail.d
-rw-r--r-- 1 root root   645 Nov 23  2020 paths-arch.conf
-rw-r--r-- 1 root root  2827 Nov 23  2020 paths-common.conf
-rw-r--r-- 1 root root   573 Nov 23  2020 paths-debian.conf
-rw-r--r-- 1 root root   738 Nov 23  2020 paths-opensuse.conf


Ausgangskonfiguration

In der Datei /etc/fail2ban/jail.conf steht im Abschnitt
[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Die habe ich zu Testzwecken auf 2 Minuten und 2 Einträgen reduziert.


In der Datei /etc/fail2ban/jail.conf stehen im Abschnitt

#
# JAILS
#

alle zu überwachenden Dienste.
Sie werden mit dem Zusatz: enabled = true und einem Dienstneustart aktiviert.


Jails anzeigen lassen:

root@raspberrypi3:/home/pi# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

bzw. dann später:

root@raspberrypi3:/home/pi# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   apache-auth, sshd


genauer hingesehen:

root@raspberrypi3:/home/pi# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:


Beste Vorgehensweise

die Ausgangskonfiguration kopieren

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


Die Kopie anpassen. Also im Abschnitt DEFAULT die gwünschte Regel mit enabeld = true aktivieren bzw. eine neue hinzufügen.

Im Verzeichnis /etc/fail2ban/filter.d/ dann die *.conf verändern oder falls noch nicht vorhanden, anlegen und anpassen.


Beispiel: Apache 404-Fehler:

nano  /etc/fail2ban/jail.local


#
# JAILS
#

# neu hinzufügen
[apache404]
enabled = true
port     = http,https
logpath  = /var/log/apache2/access.log


dann eine neue Filterdatei anlegen:

nano /etc/fail2ban/filter.d/apache404.conf
[Definition]

failregex = ^<HOST> -.*"(GET|POST).*404*.*$

ignoreregex =

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}

und fail2ban neustarten:

service fail2ban restart



Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten:
service fail2ban status

root@raspberrypi3:/home/pi# service fail2ban status
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-01-31 15:32:26 CET; 1h 1min ago
       Docs: man:fail2ban(1)
    Process: 23835 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 23836 (fail2ban-server)
      Tasks: 7 (limit: 1595)
        CPU: 5.115s
     CGroup: /system.slice/fail2ban.service
             └─23836 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service...
Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service.
Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: Server ready


iptables -L

root@raspberrypi3:/home/pi# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-apache404 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere


fail2ban-client status apache404

root@raspberrypi3:/home/pi# fail2ban-client status apache404
Status for the jail: apache404
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     3
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:



nun die Webseite nach fehlenden Seiten abfragen:
tail -f /var/log/fail2ban.log

2024-01-31 16:36:58,105 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:36:58
2024-01-31 16:38:13,892 fail2ban.filter         [23836]: INFO    [apache404] Found 192.168.178.36 - 2024-01-31 16:38:13
2024-01-31 16:38:14,032 fail2ban.actions        [23836]: NOTICE  [apache404] Ban 192.168.178.36**Fetter Text**


fail2ban-client status apache404

root@raspberrypi3:/home/pi# fail2ban-client status apache404
Status for the jail: apache404
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   192.168.178.36


iptables -L

root@raspberrypi3:/home/pi# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-apache404  tcp  --  anywhere             anywhere             multiport dports http,https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-apache404 (1 references)
target     prot opt source               destination
REJECT     all  --  DESKTOP-PQ44AIL.fritz.box  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere



Quellen

https://wiki.ubuntuusers.de/fail2ban/
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04