apt-get update apt-get upgrade
apt-get install fail2ban
service fail2ban status service fail2ban stop service fail2ban start service fail2ban restart
root@raspberrypi3:/home/pi# service fail2ban status ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-01-31 13:19:50 CET; 1min 3s ago Docs: man:fail2ban(1) Process: 20877 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 20878 (fail2ban-server) Tasks: 5 (limit: 1595) CPU: 1.857s CGroup: /system.slice/fail2ban.service └─20878 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jan 31 13:19:50 raspberrypi3 systemd[1]: Starting Fail2Ban Service... Jan 31 13:19:50 raspberrypi3 systemd[1]: Started Fail2Ban Service. Jan 31 13:19:52 raspberrypi3 fail2ban-server[20878]: Server ready
tail- f /var/log/fail2ban.log bash: tail-: command not found root@raspberrypi3:/home/pi# tail -f /var/log/fail2ban.log 2024-01-31 13:19:52,130 fail2ban.jail [20878]: INFO Creating new jail 'sshd' 2024-01-31 13:19:52,318 fail2ban.jail [20878]: INFO Jail 'sshd' uses pyinotify {} 2024-01-31 13:19:52,341 fail2ban.jail [20878]: INFO Initiated 'pyinotify' backend 2024-01-31 13:19:52,360 fail2ban.filter [20878]: INFO maxLines: 1 2024-01-31 13:19:52,643 fail2ban.filter [20878]: INFO maxRetry: 5 2024-01-31 13:19:52,645 fail2ban.filter [20878]: INFO findtime: 600 2024-01-31 13:19:52,646 fail2ban.actions [20878]: INFO banTime: 600 2024-01-31 13:19:52,647 fail2ban.filter [20878]: INFO encoding: UTF-8 2024-01-31 13:19:52,651 fail2ban.filter [20878]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = 6ab07ffed84cb62c8dcb4600d0b0630ab9c821f5) 2024-01-31 13:19:52,671 fail2ban.jail [20878]: INFO Jail 'sshd' started
Wird 6x hintereinander versucht eine ssh-Verbindung herzustellen, sperrt fail2ban den Zugang:
2024-01-31 13:41:52,082 fail2ban.filter [20878]: INFO [sshd] Found 192.168.178.36 - 2024-01-31 13:41:52 2024-01-31 13:41:59,197 fail2ban.filter [20878]: INFO [sshd] Found 192.168.178.36 - 2024-01-31 13:41:58 2024-01-31 13:42:02,555 fail2ban.filter [20878]: INFO [sshd] Found 192.168.178.36 - 2024-01-31 13:42:02 2024-01-31 13:42:07,367 fail2ban.filter [20878]: INFO [sshd] Found 192.168.178.36 - 2024-01-31 13:42:07 2024-01-31 13:42:11,476 fail2ban.filter [20878]: INFO [sshd] Found 192.168.178.36 - 2024-01-31 13:42:11 2024-01-31 13:42:12,249 fail2ban.actions [20878]: NOTICE [sshd] Ban 192.168.178.36
Nach 10 Minuten ist er wieder freigegeben:
2024-01-31 13:52:11,321 fail2ban.actions [20878]: NOTICE [sshd] Unban 192.168.178.36
ls -l /etc/fail2ban/ total 64 drwxr-xr-x 2 root root 4096 Jan 31 13:19 action.d -rw-r--r-- 1 root root 2816 Nov 23 2020 fail2ban.conf drwxr-xr-x 2 root root 4096 Jul 12 2021 fail2ban.d drwxr-xr-x 3 root root 4096 Jan 31 13:19 filter.d -rw-r--r-- 1 root root 24996 Nov 23 2020 jail.conf drwxr-xr-x 2 root root 4096 Jan 31 13:19 jail.d -rw-r--r-- 1 root root 645 Nov 23 2020 paths-arch.conf -rw-r--r-- 1 root root 2827 Nov 23 2020 paths-common.conf -rw-r--r-- 1 root root 573 Nov 23 2020 paths-debian.conf -rw-r--r-- 1 root root 738 Nov 23 2020 paths-opensuse.conf
In der Datei /etc/fail2ban/jail.conf steht im Abschnitt
[DEFAULT]
# "bantime" is the number of seconds that a host is banned. bantime = 10m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = 5
Die habe ich zu Testzwecken auf 2 Minuten und 2 Einträgen reduziert.
In der Datei /etc/fail2ban/jail.conf stehen im Abschnitt
# # JAILS #
alle zu überwachenden Dienste.
Sie werden mit dem Zusatz: enabled = true und einem Dienstneustart aktiviert.
Jails anzeigen lassen:
root@raspberrypi3:/home/pi# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
bzw. dann später:
root@raspberrypi3:/home/pi# fail2ban-client status Status |- Number of jail: 2 `- Jail list: apache-auth, sshd
genauer hingesehen:
root@raspberrypi3:/home/pi# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list:
die Ausgangskonfiguration kopieren
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Die Kopie anpassen. Also im Abschnitt DEFAULT die gwünschte Regel mit enabeld = true aktivieren bzw. eine neue hinzufügen.
Im Verzeichnis /etc/fail2ban/filter.d/ dann die *.conf verändern oder falls noch nicht vorhanden, anlegen und anpassen.
Beispiel: Apache 404-Fehler:
nano /etc/fail2ban/jail.local # # JAILS # # neu hinzufügen [apache404] enabled = true port = http,https logpath = /var/log/apache2/access.log
dann eine neue Filterdatei anlegen:
nano /etc/fail2ban/filter.d/apache404.conf
[Definition] failregex = ^<HOST> -.*"(GET|POST).*404*.*$ ignoreregex = datepattern = ^[^\[]*\[({DATE}) {^LN-BEG}
und fail2ban neustarten:
service fail2ban restart
Nun kann man über die Log-Files sehr schön den Verlauf bei einem fehlerhaften Zugriff beobachten:
service fail2ban status
root@raspberrypi3:/home/pi# service fail2ban status ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-01-31 15:32:26 CET; 1h 1min ago Docs: man:fail2ban(1) Process: 23835 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 23836 (fail2ban-server) Tasks: 7 (limit: 1595) CPU: 5.115s CGroup: /system.slice/fail2ban.service └─23836 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jan 31 15:32:26 raspberrypi3 systemd[1]: Starting Fail2Ban Service... Jan 31 15:32:26 raspberrypi3 systemd[1]: Started Fail2Ban Service. Jan 31 15:32:27 raspberrypi3 fail2ban-server[23836]: Server ready
iptables -L
root@raspberrypi3:/home/pi# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-apache404 tcp -- anywhere anywhere multiport dports http,https Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-apache404 (1 references) target prot opt source destination RETURN all -- anywhere anywhere
fail2ban-client status apache404
root@raspberrypi3:/home/pi# fail2ban-client status apache404 Status for the jail: apache404 |- Filter | |- Currently failed: 1 | |- Total failed: 3 | `- File list: /var/log/apache2/access.log `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list:
nun die Webseite nach fehlenden Seiten abfragen:
tail -f /var/log/fail2ban.log
2024-01-31 16:36:58,105 fail2ban.filter [23836]: INFO [apache404] Found 192.168.178.36 - 2024-01-31 16:36:58 2024-01-31 16:38:13,892 fail2ban.filter [23836]: INFO [apache404] Found 192.168.178.36 - 2024-01-31 16:38:13 2024-01-31 16:38:14,032 fail2ban.actions [23836]: NOTICE [apache404] Ban 192.168.178.36**Fetter Text**
fail2ban-client status apache404
root@raspberrypi3:/home/pi# fail2ban-client status apache404 Status for the jail: apache404 |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/apache2/access.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 192.168.178.36
iptables -L
root@raspberrypi3:/home/pi# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-apache404 tcp -- anywhere anywhere multiport dports http,https Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-apache404 (1 references) target prot opt source destination REJECT all -- DESKTOP-PQ44AIL.fritz.box anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere