SpecialistOff.NET / Вопросы / Статьи / Фрагменты кода / Резюме / Метки / Помощь / Файлы

Назад

fail2ban: Установка и настройка

Метки: fail2ban dnf nftables /etc/logrotate.d/fail2ban /etc/logrotate.d /var/log/sshd.log /etc/rsyslog.d/sshd.conf /etc/rsyslog.d /etc/tmpfiles.d/fail2ban.conf /etc/tmpfiles.d tmpfiles.d

Примечание! Рекомендуется настраивать одновременно с системой логирования rsyslog, т.к. в разных системах логи могут находиться в разных местах

Установка

Fedora

dnf install fail2ban

Настройка

Общее

.
├── action.d
│   └── nftables.conf
├── fail2ban.local
├── filter.d
│   └── sshd.conf
├── jail.d
│   └── sshd.local
└── jail.local

fail2ban.local

[Definition]
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d
usedns = no

jail.local

[DEFAULT]
bantime = 1d
ignoreip = 127.0.0.0/8

action.d/nftables

[Definition]
table = fail2ban
table_family = inet
addr_set = f2b-banned

actionstart = nft add table inet fail2ban
    nft -- add chain inet fail2ban f2b-chain \{ type filter hook input priority -1 \; \}
    nft add set inet fail2ban f2b-banned \{ type ipv4_addr \; \}
    nft add rule inet fail2ban f2b-chain ip saddr @f2b-banned reject
actionban = nft add element inet fail2ban f2b-banned \{ <ip> \}
actionunban = nft delete element inet fail2ban f2b-banned \{ <ip> \}
actionstop = nft delete table inet fail2ban

filter.d/sshd.conf

[Definition]
failregex = .*Failed password for.*from <IP4> .*
    .*Invalid user .* from <IP4> .*

jail.d/sshd.local

[sshd]
enabled = true
port = 22
filter = sshd
action = nftables[name=sshd, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3
findtime = 6h

/etc/rsyslog.d/sshd.conf

if $programname == 'sshd' then /var/log/sshd.log

/etc/logrotate.d/fail2ban

/var/log/fail2ban.log {
    missingok
    notifempty
    postrotate
      /usr/bin/fail2ban-client flushlogs >/dev/null || true
    endscript
}

/var/log/auth.log {
    maxsize 100M
    rotate 10
    missingok
    notifempty
    compress
}

Файл /etc/tmpfiles.d/fail2ban.conf

d /run/fail2ban 0755 root root -
f /var/log/fail2ban.log 0644 root root -

Запуск

systemd-tmpfiles --create
systemctl enable fail2ban
systemctl start fail2ban

Проверяем создались ли правила nftables

nft list ruleset

Должно быть примерно так

table inet fail2ban {
        set f2b-banned {
                type ipv4_addr
        }

        chain f2b-chain {
                type filter hook input priority filter - 1; policy accept;
                ip saddr @f2b-banned reject with icmp port-unreachable
        }
}

Просмотреть результаты

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 10
|  |- Total failed:     224
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 72
   |- Total banned:     72
   `- Banned IP list:   122.117.171.161 128.199.149.180 ...